Description

Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an ! (exclamation mark) operator to the REST Plugin.

Remediation

References

http://struts.apache.org/docs/s2-033.html

http://www.securityfocus.com/bid/90960

http://www.securitytracker.com/id/1036017

http://www-01.ibm.com/support/docview.wss?uid=swg21987854

https://www.exploit-db.com/exploits/39919/

Related Vulnerabilities

CVE-2021-22132 Vulnerability in maven package org.elasticsearch:elasticsearch

CVE-2019-10371 Vulnerability in maven package org.jenkins-ci.plugins:gitlab-oauth

CVE-2022-42890 Vulnerability in maven package org.apache.xmlgraphics:batik-script

CVE-2023-37947 Vulnerability in maven package org.openshift.jenkins:openshift-login

CVE-2019-10325 Vulnerability in maven package io.jenkins.plugins:warnings-ng

Severity

Critical

Classification

CWE-20 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory