Apache Roller OGNL injection

Description
  • Apache Roller is a full-featured, multi-user and group-blog server suitable for blog sites large and small. It runs as a Java web application that should be able to run on most any Java EE server and relational database.

    Roller version 5 earlier than 5.0.2 and all of version 4 are vulnerable to a pre-authenticated OGNL injection that can result in remote code execution (RCE).
Remediation
  • Upgrade to the latest version of Apache Roller (the problem was fixed in version 5.0.2).
References