org.apache.struts:struts2-core@2.5.25 vulnerabilities

org.apache.struts:struts2-core is a popular open-source framework for developing web applications in the Java programming language.

Affected versions of this package are vulnerable to Remote Code Execution (RCE) via manipulation of file upload parameters that enable path traversal. Under certain conditions, uploading of a malicious file is possible, which may then be executed on the server.

Upgrade org.apache.struts:struts2-core to version 2.5.33, 6.3.0.2 or higher.

org.apache.struts:struts2-core is a popular open-source framework for developing web applications in the Java programming language.

Affected versions of this package are vulnerable to Denial of Service when certain fields exceed the maxStringLength limit during multipart requests. An attacker can exploit this to leave uploaded files in the struts.multipart.saveDir even after the request has been denied resulting in excessive disk usage.

Upgrade org.apache.struts:struts2-core to version 2.5.32, 6.1.2.2, 6.3.0.1 or higher.

org.apache.struts:struts2-core is a popular open-source framework for developing web applications in the Java programming language.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when it loads non-file regular form fields from a Multipart request into memory as Strings without verifying their sizes.

This vulnerability can be exploited if a developer has set struts.multipart.maxSize to a value equal to or greater than the available memory.

Upgrade org.apache.struts:struts2-core to version 2.5.31, 6.1.2.1 or higher.

org.apache.struts:struts2-core is a popular open-source framework for developing web applications in the Java programming language.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to improper handling of getProperty() by the XWorkListPropertyAccessor class. Exploiting this vulnerability is possible if the developer has set CreateIfNull to true for the underlying Collection type field.

Upgrade org.apache.struts:struts2-core to version 2.5.31, 6.1.2.1 or higher.

org.apache.struts:struts2-core is a popular open-source framework for developing web applications in the Java programming language.

Affected versions of this package are vulnerable to Remote Code Execution (RCE). The fix issued for CVE-2020-17530 was incomplete. Some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.

Upgrade org.apache.struts:struts2-core to version 2.5.30 or higher.

org.apache.struts:struts2-core is a popular open-source framework for developing web applications in the Java programming language.

Affected versions of this package are vulnerable to Remote Code Execution (RCE). The vulnerability exists due to improper input validation when processing certain tag's attributes. The application performs double evaluation of the code if a developer applied forced OGNL evaluation by using the %{...} syntax. A remote attacker can send a specially crafted request to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Upgrade org.apache.struts:struts2-core to version 2.5.26 or higher.