漏洞类别:Web Application
漏洞等级: 
漏洞信息
Apache Struts is a framework for building web applications.
A vulnerability CVE-2016-3081 exists due to improper handling of malicious expressions by the Apache Struts when Dynamic Method Invocation is enabled. This will allow an attacker to execute arbitrary code via "method:" prefix, related to chained expressions.
Affected software:
Apache Struts 2.x before 2.3.20.3
Apache Struts 2.3.24.x before 2.3.24.3
Apache Struts 2.3.28.x before 2.3.28.1
漏洞危害
A remote attacker could exploit this vulnerability to execute arbitrary code on the targeted system.
解决方案
Upgrade to the latest version of the Apache Struts 2 framework to fix this issue. For more details please refer to vendor advisory: S2-032.
Workaround:
Disable Dynamic Method Invocation or implement your own version of ActionMapper based on a source code of the recommended Apache Struts versions.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
0day
文章评论