|
|||
Rule General Information |
---|
Release Date: | 2018-09-03 | |
Rule Name: | WEB-SERVER Apache Struts 2 namespace Expression Language Injection Vulnerability -2 (CVE-2018-11776) | |
Severity: | ||
CVE ID: | ||
Rule Protection Details |
---|
Description: | Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or wildcard namespace. Same possibility when using url tag which doesn't have value and action set and in same time, its upper action(s) have no or wildcard namespace. | |
Impact: | A remote user can execute arbitrary code on the target system. | |
Affected OS: | Network Device, Solaris, FreeBSD, Windows, Mac OS, iOS, Other Unix, Linux, Others, Android | |
Reference: | SecurityFocusBID:105125 SecurityTrackerID:1041547 ExploitDB:45260 ExploitDB:45262 https://security.netapp.com/advisory/ntap-20180822-0001/ https://github.com/hook-s3c/CVE-2018-11776-Python-PoC |
|
Solutions |
---|
The vendor has issued a fix (2.3.35, 2.5.17), please update vendor's patch. The vendor advisory is available at https://cwiki.apache.org/confluence/display/WW/S2-057 |