Apache Struts 2.0.1 uses an unintentional expression in a Freemarker tag instead of string literal
Critical severity
GitHub Reviewed
Published
Oct 16, 2018
to the GitHub Advisory Database
•
Updated Jan 4, 2024
Package
Affected versions
>= 2.0.1, <= 2.3.33
>= 2.5.0, <= 2.5.10.1
Patched versions
2.3.34
2.5.11
Description
Published to the GitHub Advisory Database
Oct 16, 2018
Reviewed
Jun 16, 2020
Last updated
Jan 4, 2024
In Apache Struts 2.0.1 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack.
References