PROBLEM:
Apache Struts Bug Lets Remote Users Overwrite Files and Execute Arbitrary Code
PLATFORM:
Version(s): 2.1.0 - 2.3.1
ABSTRACT:
A remote user can execute arbitrary Java code on the target system.
reference LINKS:
SecurityTracker Alert ID: 1026484
Secunia Advisory SA47393
Bugtraq ID: 51257
Apache Struts 2 Documentation S2-008
IMPACT ASSESSMENT:
High
Discussion:
A vulnerability was reported in Apache Struts. A remote user can execute arbitrary Java code on the target system. A remote user can overwrite arbitrary files on the target system. A remote user can send specially crafted data to execute arbitrary Java code on the target system. The ExceptionDelegator and CookieInterceptor functions are affected. A remote user can exploit a flaw in the ParameterInterceptor function to overwrite arbitrary files on the target system.
Impact:
A remote user can execute arbitrary Java code on the target system.
Solution:
Developers should immediately upgrade to Struts 2.3.1.1.