Apache Struts2 ValueStack OGNL Remote Command Execution

Strike ID:
E20-0qvq1
CVSS:
9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
False Positive:
f
Variants:
2
Year:
2019

Description

This strike exploits a remote code execution vulnerability found in Apache Struts2 Framework. The vulnerability is due to the lack of input validation leading to a forced double Object Graph Navigation Library (OGNL) evaluation for raw user input. The vulnerability can be exploited by crafting a malicious HTTP POST request. Successful exploitation may result in executing arbitrarily code within the context of the user running the webservice.

CVE

References