Description

The default upload mechanism in Apache Struts 2 is based on Commons FileUpload version 1.3 which is vulnerable and allows DoS attacks. Additional ParametersInterceptor allows access to 'class' parameter which is directly mapped to getClass() method and allows ClassLoader manipulation.

The excluded parameter pattern introduced in version 2.3.16.1 to block access to getClass() method wasn't sufficient. It is possible to omit that with specially crafted requests. Also CookieInterceptor is vulnerable for the same kind of attack when it was configured to accept all cookies (when "*" is used to configure cookiesName param).

This vulnerability also affects Apache Struts 1 versions 1.x (<= 1.3.10).

Remediation

Upgrade to Struts 2.3.20.

References

Apache Struts S2-021

Related Vulnerabilities

MediaWiki remote code execution

WordPress Plugin ProfileGrid-User Profiles, Memberships, Groups and Communities Remote Code Execution (2.8.5)

Umbraco CMS remote code execution

Drupal Core 9.0.x Remote Code Execution (9.0.0 - 9.0.7)

Apache OFBiz XMLRPC Deserialization RCE (CVE-2020-9496)

Severity

High

Classification

CVE-2014-0112 CVE-2014-0113 CVE-2014-0114 CWE-701 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution Denial Of Service