Description

The Apache Struts frameworks when forced, performs double evaluation of attributes' values assigned to certain tags so it is possible to pass in a value that will be evaluated again when a tag's attributes will be rendered. Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.

Remediation

Adding a proper validation of each value that's coming in and it's used in tag's attributes.
Don't use forced evaluation of an attribute other than value using %{...} syntax unless really needed for a valid use-case.
By upgrading to Struts 2.3.28, possible malicious effects of forced double evaluation are limited.

References

S2-029

Related Vulnerabilities

WordPress 'wp-admin/options.php' Remote Code Execution Vulnerability (0.6.2 - 2.3.2)

IBM WebSphere RCE Java Deserialization Vulnerability

Reflected Cross-Site Scripting (XSS) vulnerability in PAN-OS management web interface

Oracle E-Business Suite Unauthenticated Remote Code Execution

WordPress Plugin WP-Live Chat by 3CX Remote Code Execution (7.0.01)

Severity

Critical

Classification

CVE-2016-0785 CWE-78 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution Acumonitor