Apache Struts CVE List


This relates to a vulnerability in Struts 2 using the Jakarta Multipart parser. It allows Content-type HTTP headers to be injected with a command string that executes remote code on the server. This is listed as affecting:

Struts 2.3.x before 2.3.32 and 2.5.x before

Using the Struts showcase example application, I was able to successfully exploit these versions of Struts (2) and gain a remote shell to the server hosting the application.

I then used this same process against our Yellowfin application. Since this exploit specifically targets the above mentioned versions of Struts 2, the exploit was not successful.


This vulnerability targets Struts 2.1.2 - 2.3.33 and 2.5.x before 2.5.13 and allows remote code execution when the REST plugin is in use. Using the Struts 2 Showcase sample application, I was successfully able to gain a remote shell on the hosting server with this exploit.

When targeting Yellowfin, the exploit was not successful. This is due to the version difference in Struts, as well as the lack of the REST plugin.


Disclosure Link

This vulnerability is listed against Struts 2, 2.3.x before 2.3.35 and 2.5.x before 2.5.17.  This is a Remote Code Execution (RCE) vulnerability when using the alwaysSelectFullNamespace flagged true and actions that are configured with no namespace or a wildcard namespace.

Struts 1 does not feature either of these items in configurations, meaning Yellowfin is not vulnerable to this item.

Is article helpful?