|Home > Security Bulletins > S2-024|
excludeParamsoverrides those defined in
Who should read this
All Struts 2 developers and users
Impact of vulnerability
If default settings are used, the attacker can compromise internal state of an application
Maximum security rating
Developers should immediately upgrade to Struts 126.96.36.199 or introduce the below change in framework's settings
Jasper Rosenberg at Cargurus
Wrong default exclude patterns were introduced in version 2.3.20 of Struts, if default settings are used, the attacker can compromise internal application's state.
In Struts 188.8.131.52 a better set of exlude patterns was defined.
No backward compatibility problems are expected.
If you cannot migrate to the latest version it's highly recommended to re-define
struts-default.xml to this one below (or any other which is used in your application and drop
and define the following constant in