CVE-2017-12611

Name of the Vulnerable Software and Affected Versions Apache Struts versions 2.0.0 through 2.3.33 Apache Struts versions 2.5 through 2.5.10.1

Description The issue exists due to incorrect handling of Object Graph Navigation Language (OGNL) expressions. Exploitation may allow a remote attacker to execute arbitrary code. Using an unintentional expression in a Freemarker tag instead of string literals can lead to a remote code execution (RCE) attack.

Recommendations For Apache Struts versions 2.0.0 through 2.3.33, update to a version outside of this range to resolve the issue. For Apache Struts versions 2.5 through 2.5.10.1, update to a version outside of this range to resolve the issue. As a temporary workaround, consider restricting the use of Freemarker tags to minimize the risk of exploitation. Avoid using unintentional expressions in Freemarker tags until the issue is resolved.