Zhu Gang

**Name of the Vulnerable Software and Affected Versions** Apache Struts versions 2.0.0 through 2.3.15.1 **Description** The issue is related to the implementation of the DefaultActionMapper mechanism in Apache Struts, which has weaknesses in access control when handling the `action: prefix` parameter. This can allow a remote attacker to bypass security constraints. The `action: prefix` is intended for attaching navigational information to buttons within forms, but under certain conditions, it can be exploited to bypass security constraints. **Recommendations** For Apache Struts versions 2.0.0 through 2.3.15.1, consider updating to version 2.3.15.3 or later, where the action mapping mechanism was changed to avoid circumventing security constraints. As a temporary workaround, consider setting the `struts.mapper.action.prefix.enabled` constant to `false` to disable support for the `action:` prefix, and set the `struts.mapper.action.prefix.crossNamespaces` constant to `false` to require actions defined with the `action:` prefix to be in the same namespace as the current action.