CVE-2008-6504 — Improper Input Validation in OpenSymphony XWork

Description

ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Apache Struts and other products, does not properly restrict # (pound sign) references to context objects, which allows remote attackers to execute Object-Graph Navigation Language (OGNL) statements and modify server-side context objects, as demonstrated by use of a \u0023 representation for the # character.

How to fix CVE-2008-6504

To remediate CVE-2008-6504, upgrade the affected package to a fixed version below.

Maven/com.opensymphony:xwork—upgrade to 2.0.6 or later

Is CVE-2008-6504 being exploited?

Moderate — EPSS is 39.4%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

from 0, < 2.0.6

References (13)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2008-6504
WEBfisheye6.atlassian.com/cru/CR-9
WEBissues.apache.org/struts/browse/WW-2692
WEBjira.opensymphony.com/browse/XW-641
WEBsecunia.com/advisories/32495