Apache Struts Remote Code Execution (S2-057)

Description
  • Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or wildcard namespace.

    Successfully exploiting this issue may allow an attacker to execute arbitrary code in the context of the affected application.
Remediation
  • Upgrade to Apache Struts version 2.3.35 or 2.5.17.
References