|Home > Security Bulletins > S2-007|
User input is evaluated as an OGNL expression when there's a conversion error
Who should read this
All Struts 2 developers
Impact of vulnerability
Remote Code Execution
Maximum security rating
Developers should either upgrade to Struts 18.104.22.168 or apply the configuration changes described below
Struts 2.0.0 - Struts 2.2.3
Original JIRA Tickets
User input is evaluated as an OGNL expression when there's a conversion error. This allows a malicious user to execute arbitrary code.
A more detailed description is found in the referenced JIRA ticket.
Upgrade to Struts 22.214.171.124.