CVE-2010-1870

Name of the Vulnerable Software and Affected Versions Apache Struts versions 2.0.0 through 2.1.8.1

Description The OGNL extensive expression evaluation capability in XWork in Struts uses a permissive whitelist, allowing remote attackers to modify server-side context objects and bypass the "#" protection mechanism in ParameterInterceptors via the #context, # memberAccess, #root, #this, # typeResolver, # classResolver, # traceEvaluations, # lastEvaluation, and # keepLastEvaluation OGNL context variables. This vulnerability enables a malicious user to bypass the '#'-usage protection built into the ParametersInterceptor, thus being able to manipulate server-side context objects.

Recommendations For Apache Struts versions 2.0.0 through 2.1.8.1, consider disabling the OGNL expression evaluation capability or restricting access to the vulnerable ParametersInterceptor until a patch is available. Avoid using the #context, # memberAccess, #root, #this, # typeResolver, # classResolver, # traceEvaluations, # lastEvaluation, and # keepLastEvaluation variables in the affected API endpoints to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.