[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ANN] CVE-2018-11776 Apache Struts 2.3 to 2.3.34 and 2.5 to 2.5.16

To: Struts User <user@xxxxxxxxxxxxxxxxx>, Struts Dev <dev@xxxxxxxxxxxxxxxxx>, Struts Announcements <announcements@xxxxxxxxxxxxxxxxx>, Apache Announce <announce@xxxxxxxxxx>, "security-reports@xxxxxxxxxx" <security-reports@xxxxxxxxxx>, Struts Security <security@xxxxxxxxxxxxxxxxx>, oss-security <oss-security@xxxxxxxxxxxxxxxxxx>, full-disclosure <full-disclosure@xxxxxxxxxxxxxxxxx>, bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: [ANN] CVE-2018-11776 Apache Struts 2.3 to 2.3.34 and 2.5 to 2.5.16
From: Yasser Zamani <yasserzamani@xxxxxxxxxx>
Date: Wed, 22 Aug 2018 07:37:24 +0000

[CVEID]:CVE-2018-11776
[PRODUCT]:Apache Struts
[VERSION]:Apache Struts 2.3 to 2.3.34 and 2.5 to 2.5.16
[PROBLEMTYPE]:Remote Code Execution
[REFERENCES]:https://cwiki.apache.org/confluence/display/WW/S2-057
[DESCRIPTION]:Man Yue Mo from the Semmle Security Research team was
noticed that Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16
suffer from possible Remote Code Execution when using results with no
namespace and in same time, its upper action(s) have no or wildcard
namespace. Same possibility when using url tag which doesn’t have value
and action set and in same time, its upper action(s) have no or wildcard
namespace.

Prev by Date: [SECURITY] [DSA 4280-1] openssh security update
Next by Date: [SECURITY] [DSA 4279-2] linux regression update
Previous by thread: [SECURITY] [DSA 4280-1] openssh security update
Next by thread: [SECURITY] [DSA 4279-2] linux regression update
Index(es):
- Date
- Thread