This flaw affects all versions of Apache Struts 2, and is caused by the insufficient validation of untrusted user data in the core Struts framework.
When Apache Struts uses results with no namespace and in the same time, upper actions have no wild namespace. The same opportunity for exploit exists when the URL tag is in use and there is no value or action set. This bug has been named as CVE-2018-11776,
There are multiple attack vectors threat actors could use to exploit the vulnerability:
- If the alwaysSelectFullNamespace flag is set to true in the Struts configuration, which is automatically the case when the Struts Convention plugin is in use, or if a user's Struts configuration file contains a tag that does not specify the optional namespace attribute or specifies a wildcard namespace, it is likely the build is vulnerable to attack.
"This vulnerability affects commonly-used endpoints of Struts, which are likely to be exposed, opening up an attack vector to malicious hackers," Mo says. "On top of that, the weakness is related to the Struts OGNL language, which hackers are very familiar with, and are known to have been exploited in the past."
Companies which use the popular open-source framework are urged to update their builds immediately. Users of Struts 2.3 are advised to upgrade to 2.3.35; users of Struts 2.5 need to upgrade to upgrade to 2.5.17.