Apache Struts2 remote code execution vulnerability

Description

The Apache Struts frameworks when forced, performs double evaluation of attributes' values assigned to certain tags so it is possible to pass in a value that will be evaluated again when a tag's attributes will be rendered. Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.

Remediation

Adding a proper validation of each value that's coming in and it's used in tag's attributes.
Don't use forced evaluation of an attribute other than value using %{...} syntax unless really needed for a valid use-case.
By upgrading to Struts 2.3.28, possible malicious effects of forced double evaluation are limited.

References
Severity
Classification
Tags
  • Code Execution