Description
In the Convention plugin in Apache Struts 2.3.x before 2.3.31, and 2.5.x before 2.5.5, it is possible to prepare a special URL which will be used for path traversal and execution of arbitrary code on server side.
Remediation
References
http://www.securityfocus.com/bid/93773
https://security.netapp.com/advisory/ntap-20180629-0003/
https://struts.apache.org/docs/s2-042.html
Related Vulnerabilities
CVE-2018-14042 Vulnerability in maven package org.webjars:bootstrap-sass
CVE-2019-10293 Vulnerability in maven package org.jenkins-ci.plugins:kmap-jenkins
CVE-2021-23360 Vulnerability in npm package killport
CVE-2020-17519 Vulnerability in maven package org.apache.flink:flink-runtime_2.11
CVE-2020-2288 Vulnerability in maven package org.jenkins-ci.plugins:audit-trail