漏洞类别:Web Application
漏洞等级: 
漏洞信息
Apache Struts is a framework for building web applications.
Apache Struts on the target web application was found to be vulnerable to a remote code execution vulnerability as described in Security Bulletin S2-009. The assigned CVE ID is CVE-2011-3923.
The vulnerability exists due to regular expression in ParametersInterceptor matches top['foo'](0) as a valid expression, which OGNL treats as (top['foo'])(0) and evaluates the value of 'foo' action parameter as an OGNL expression.
Affected software:
Struts 2.0.0 - Struts 2.3.1.1
漏洞危害
A remote attacker could exploit this vulnerability to execute arbitrary code.
解决方案
Upgrade to the latest version of the Apache Struts 2 framework to fix this issue. For more details, please refer to Apache Security Bulletin S2-009.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
0daybank
文章评论