CVE-2008-6505

Name of the Vulnerable Software and Affected Versions Apache Struts versions 2.0.x through 2.0.11 Apache Struts versions 2.1.x through 2.1.2

Description The issue allows remote attackers to read arbitrary files via a ..%252f (encoded dot dot slash) in a URI with a "/struts/" path. This is related to the FilterDispatcher in 2.0.x and the DefaultStaticContentLoader in 2.1.x.

Recommendations For Apache Struts versions 2.0.x through 2.0.11, update to version 2.0.12 or later. For Apache Struts versions 2.1.x through 2.1.2, update to version 2.1.3 or later. As a temporary workaround, consider restricting access to the /struts/ path to minimize the risk of exploitation.