Описание
Server side object manipulation in Apache Struts
OGNL provides, among other features, extensive expression evaluation capabilities. This vulnerability allows a malicious user to bypass the '#'-usage protection built into the ParametersInterceptor, thus being able to manipulate server side context objects. This behavior was already addressed in S2-003, but it turned out that the resulting fix based on whitelisting acceptable parameter names closed the vulnerability only partially.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2010-1870
- https://cwiki.apache.org/confluence/display/WW/S2-003
- http://blog.o0o.nu/2010/07/cve-2010-1870-struts2xwork-remote.html
- http://confluence.atlassian.com/display/FISHEYE/FishEye+Security+Advisory+2010-06-16
- http://packetstormsecurity.com/files/159643/LISTSERV-Maestro-9.0-8-Remote-Code-Execution.html
- http://seclists.org/fulldisclosure/2010/Jul/183
- http://seclists.org/fulldisclosure/2020/Oct/23
- http://struts.apache.org/2.2.1/docs/s2-005.html
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140709-struts2
Пакеты
org.apache.struts:struts2-core
< 2.2.1
2.2.1
EPSS
CVE ID
Связанные уязвимости
The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the "#" protection mechanism in ParameterInterceptors via the (1) #context, (2) #_memberAccess, (3) #root, (4) #this, (5) #_typeResolver, (6) #_classResolver, (7) #_traceEvaluations, (8) #_lastEvaluation, (9) #_keepLastEvaluation, and possibly other OGNL context variables, a different vulnerability than CVE-2008-6504.
The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the "#" protection mechanism in ParameterInterceptors via the (1) #context, (2) #_memberAccess, (3) #root, (4) #this, (5) #_typeResolver, (6) #_classResolver, (7) #_traceEvaluations, (8) #_lastEvaluation, (9) #_keepLastEvaluation, and possibly other OGNL context variables, a different vulnerability than CVE-2008-6504.
The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the "#" protection mechanism in ParameterInterceptors via the (1) #context, (2) #_memberAccess, (3) #root, (4) #this, (5) #_typeResolver, (6) #_classResolver, (7) #_traceEvaluations, (8) #_lastEvaluation, (9) #_keepLastEvaluation, and possibly other OGNL context variables, a different vulnerability than CVE-2008-6504.
The OGNL extensive expression evaluation capability in XWork in Struts ...
Уязвимость реализации класса преобразования выражений OGNL (Object-Graph Navigation Language) структуры шаблонов команд XWork программной платформы Apache Struts, позволяющая нарушителю обойти ограничения безопасности и выполнить произвольные команды
EPSS