Findings for SCA, High, [TheRedHatter/javagoof:todolist-web-struts/pom.xml]:Remote Code Execution

[armorcodegithubpreprod[bot]]

Findings for SCA, High, [TheRedHatter/javagoof:todolist-web-struts/pom.xml]:Remote Code Execution

Component Details

• Exploit Maturity: mature
• Vulnerable Package: -
  • Current Version: -
  • Vulnerable Version(s): >[2.3.0, 2.3.35),[2.5.0, 2.5.17)
  • Vulnerable Path: >null

    Overview

    org.apache.struts:struts2-core is a popular open-source framework for developing web applications in the Java programming language.

Affected versions of this package are vulnerable to Remote Code Execution. When the namespace value is not set for a result defined in underlying xml configurations, and in same time, its upper action(s) configurations have no or wildcard namespace, an attacker may be able to conduct a remote code execution attack. They could also use the opportunity when using a url tag which does not have a value and action set and in same time, its upper action(s) configurations have no or wildcard namespace.

References

• Exploit DB
• Exploit DB
• GitHub Commit
• Lgtm Blog
• RedHat Bugzilla Bug
• Struts2 Security Bulletin

Snyk Project Status: Active

---

---

[armorcodegithubpreprod[bot]]

Finding [47833756|https://preprod.armorcode.ai/#/findings/257/1167/47833756] is Mitigated
by SYSTEM via ArmorCode Platform