CVE-2015-5209

HIGH7.5EPSS 1.4%

Special top object can be used to access Struts' internals

Published: 5/14/2022Modified: 2/18/2024

Description

ValueStack defines special top object which represents root of execution context. It can be used to manipulate Struts' internals or can be used to affect container's settings. Applying better regex which includes pattern to exclude request parameters trying to use top object. This issue was patched in Struts 2.3.24.1.

Affected packages (1)

Maven/org.apache.struts:struts2-corefrom 0, < 2.3.24.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2015-5209
WEBhttps://security.netapp.com/advisory/ntap-20180629-0002
WEBhttps://struts.apache.org/docs/s2-026.html