Apache Struts2 arbitrary code execution vulnerability
Apache Struts is an open source project maintained by the Apache Software Foundation, an open source MVC framework for creating enterprise Java Web applications.
Introduction to Vulnerability
Struts uses Jakarta to resolve file upload requests inappropriate when a remote attacker constructs a malicious Content-Type that could cause remote commands to execute.
In fact, in the default.properties file, struts.multipart.parser value has two options, namely jakarta and pell (another original also has a third choice cos). One of the jakarta parsers is a standard component of the Struts 2 framework. By default jakarta is enabled, so the severity of the vulnerability needs to be addressed.
Struts 2.3.5 – Struts 2.3.31
Struts 2.5 – Struts 2.5.10
How to fix
If you are using a file based on Jakarta to upload the Multipart parser, upgrade to Apache Struts 2.3.32 or 18.104.22.168; or you can also switch to a different implementation file to upload the Multipart parser.
65 total views, 1 views today