Apache Roller OGNL injection

Description

Apache Roller is a full-featured, multi-user and group-blog server suitable for blog sites large and small. It runs as a Java web application that should be able to run on most any Java EE server and relational database.

Roller version 5 earlier than 5.0.2 and all of version 4 are vulnerable to a pre-authenticated OGNL injection that can result in remote code execution (RCE).

Remediation

Upgrade to the latest version of Apache Roller (the problem was fixed in version 5.0.2).

References
Severity
Classification
Tags
  • Configuration