|Home > Security Bulletins > S2-026|
topobject can be used to access Struts' internals
Who should read this
All Struts 2 developers and users
Impact of vulnerability
Manipulation of Struts' internals, altering of user session
Maximum security rating
Update regex used to excluded vulnerable incoming parameters. An upgrade to Struts 220.127.116.11 is recommended.
Struts 2.0.0 - Struts Struts 2.3.24
rskvp93 at gmail dot com from Viettel Information Security Center
ValueStack defines special
top object which represents root of execution context. It can be used to manipulate Struts' internals or can be used to affect container's settings
Applying better regex which includes pattern to exclude request parameters trying to use
top object. We recommend upgrading to Struts 18.104.22.168.
If an application is using parameter named
top to access action's properties, it won't be set on the action. In other case no backward compatibility problems are expected.
Applying the below patterns will solve the problem as well: