Description

Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an ! (exclamation mark) operator to the REST Plugin.

Remediation

References

http://struts.apache.org/docs/s2-033.html

http://www.securityfocus.com/bid/90960

http://www.securitytracker.com/id/1036017

http://www-01.ibm.com/support/docview.wss?uid=swg21987854

https://www.exploit-db.com/exploits/39919/

Related Vulnerabilities

CVE-2018-14658 Vulnerability in maven package org.keycloak:keycloak-services

CVE-2021-28657 Vulnerability in maven package org.apache.tika:tika-parsers

CVE-2019-1003026 Vulnerability in maven package org.jenkins-ci.plugins:mattermost

CVE-2022-41246 Vulnerability in maven package org.jenkins-ci.plugins:ws-execution-manager

CVE-2020-1748 Vulnerability in maven package org.wildfly.security:wildfly-elytron

Severity

Critical

Classification

CWE-20 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory