Apache Struts 2 ClassLoader manipulation and denial of service (S2-020)

Description
  • The default upload mechanism in Apache Struts 2 is based on Commons FileUpload version 1.3 which is vulnerable and allows DoS attacks. Additional ParametersInterceptor allows access to 'class' parameter which is directly mapped to getClass() method and allows ClassLoader manipulation.
Remediation
  • Upgrade to Struts 2.3.16.1.
References