László Tóth

**Name of the Vulnerable Software and Affected Versions** Apache Struts versions 2.0.x through 2.0.11 Apache Struts versions 2.1.x through 2.1.2 **Description** The issue allows remote attackers to read arbitrary files via a `..%252f` (encoded dot dot slash) in a URI with a "/struts/" path. This is related to the FilterDispatcher in 2.0.x and the DefaultStaticContentLoader in 2.1.x. **Recommendations** For Apache Struts versions 2.0.x through 2.0.11, update to version 2.0.12 or later. For Apache Struts versions 2.1.x through 2.1.2, update to version 2.1.3 or later. As a temporary workaround, consider restricting access to the `/struts/` path to minimize the risk of exploitation.