Improper input validation in Apache Struts

#VU14487 Improper input validation in Apache Struts

Published: 2020-03-18 | Updated: 2021-06-17

Vulnerability identifier: #VU14487

Vulnerability risk: High

CVSSv3.1: 9.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2018-11776

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
Apache Struts
Server applications / Frameworks for developing and running applications

Vendor: Apache Foundation

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insufficient input validation in cases where namespace value isn't set for a result defined in underlying xml configurations and in same time, its upper action(s) configurations have no or wildcard namespace, or when using url tag which doesn’t have value and action set and in same time, its upper action(s) configurations have no or wildcard namespace.

A remote unauthenticated attacker can compromise the affected system.

Mitigation
Update to version 2.5.17 or 2.3.35.

Vulnerable software versions

Apache Struts: 2.2.3.1 - 2.5.16

External links
http://cwiki.apache.org/confluence/display/WW/S2-057

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

Latest bulletins with this vulnerability

Improper input validation in IBM SAN Volume Controller and Storwize Family

Improper input validation in IBM FlashSystem 840 and 900

Multiple vulnerabilities in Enterprise Manager Base Platform

Remote code execution in Apache Struts