Jesse Phill Long

**Name of the Vulnerable Software and Affected Versions** Apache Struts versions 2.3.1.2 and earlier, 2.3.19 through 2.3.23 **Description** The issue is related to inadequate access restrictions in certain interfaces, potentially allowing remote attackers to modify run-time data values by providing a crafted parameter to an application that implements an affected interface. This could be achieved through interfaces such as SessionAware, RequestAware, ApplicationAware, ServletRequestAware, ServletResponseAware, and ParameterAware. The estimated number of potentially affected devices worldwide is not specified. There is no information provided about real-world incidents where this issue was exploited. **Recommendations** For Apache Struts versions 2.3.1.2 and earlier, consider configuring the interceptor as a workaround to restrict access to sensitive data. For Apache Struts versions 2.3.19 through 2.3.23, consider configuring the interceptor as a workaround to restrict access to sensitive data. At the moment, there is no information about a newer version that contains a fix for this vulnerability.