Description
The default upload mechanism in Apache Struts 2 is based on Commons FileUpload version 1.3 which is vulnerable and allows DoS attacks. Additional ParametersInterceptor allows access to 'class' parameter which is directly mapped to getClass() method and allows ClassLoader manipulation.
The excluded parameter pattern introduced in version 2.3.16.1 to block access to getClass() method wasn't sufficient. It is possible to omit that with specially crafted requests. Also CookieInterceptor is vulnerable for the same kind of attack when it was configured to accept all cookies (when "*" is used to configure cookiesName param).
This vulnerability also affects Apache Struts 1 versions 1.x (<= 1.3.10).
Remediation
Upgrade to Struts 2.3.20.
References
Related Vulnerabilities
Oracle Reports rwservlet vulnerabilities
WordPress Plugin Jekyll Exporter Remote Code Execution (2.2.0)
Jboss Application Server HTTPServerILServlet.java remote code execution
WordPress Plugin Loco Translate PHP Code Injection (2.5.3)
Apache HTTP Server Insecure Path Normalization (CVE-2021-41773, CVE-2021-42013)