Remote code execution in Apache Struts - CVE-2017-12611
Published: September 11, 2017 / Updated: April 7, 2020
Vulnerability identifier: #VU8213
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Green
CVE-ID: CVE-2017-12611
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vendor: Apache Foundation
Affected software:
Apache Struts
Apache Struts
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary code.
The weakness exists due to the unsafe use of writable expression values in Freemarker content. A remote attacker can add malicious values to writable expressions that the attacker submits to the affected application for processing and execute arbitrary code in the security context of the affected application.
The weakness exists due to the unsafe use of writable expression values in Freemarker content. A remote attacker can add malicious values to writable expressions that the attacker submits to the affected application for processing and execute arbitrary code in the security context of the affected application.
How to mitigate CVE-2017-12611
Update to version 2.5.12 or 2.3.34.