Description

The default upload mechanism in Apache Struts 2 is based on Commons FileUpload version 1.3 which is vulnerable and allows DoS attacks. Additional ParametersInterceptor allows access to 'class' parameter which is directly mapped to getClass() method and allows ClassLoader manipulation.

The excluded parameter pattern introduced in version 2.3.16.1 to block access to getClass() method wasn't sufficient. It is possible to omit that with specially crafted requests. Also CookieInterceptor is vulnerable for the same kind of attack when it was configured to accept all cookies (when "*" is used to configure cookiesName param).

This vulnerability also affects Apache Struts 1 versions 1.x (<= 1.3.10).

Remediation

Upgrade to Struts 2.3.20.

References

Apache Struts S2-021

Related Vulnerabilities

Oracle Reports rwservlet vulnerabilities

WordPress Plugin Jekyll Exporter Remote Code Execution (2.2.0)

Jboss Application Server HTTPServerILServlet.java remote code execution

WordPress Plugin Loco Translate PHP Code Injection (2.5.3)

Apache HTTP Server Insecure Path Normalization (CVE-2021-41773, CVE-2021-42013)

Severity

High

Classification

CVE-2014-0112 CVE-2014-0113 CVE-2014-0114 CWE-701 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution Denial Of Service