Special top object can be used to access Struts' internals

GHSA-4qgj-9mvg-3929 · CVE-2015-5209

Published May 14, 2022 · Modified Feb 18, 2024

Description

ValueStack defines special top object which represents root of execution context. It can be used to manipulate Struts' internals or can be used to affect container's settings. Applying better regex which includes pattern to exclude request parameters trying to use top object. This issue was patched in Struts 2.3.24.1.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2015-5209
WEB https://security.netapp.com/advisory/ntap-20180629-0002
WEB https://struts.apache.org/docs/s2-026.html

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes