PT-2017-2794 · Apache · Apache Struts
Published
2017-09-05
·
Updated
2025-11-10
·
CVE-2017-12611
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Apache Struts versions 2.0.0 through 2.3.33
Apache Struts versions 2.5 through 2.5.10.1
Description
The issue exists due to incorrect handling of Object Graph Navigation Language (OGNL) expressions. Exploitation may allow a remote attacker to execute arbitrary code. Using an unintentional expression in a Freemarker tag instead of string literals can lead to a remote code execution (RCE) attack.
Recommendations
For Apache Struts versions 2.0.0 through 2.3.33, update to a version outside of this range to resolve the issue.
For Apache Struts versions 2.5 through 2.5.10.1, update to a version outside of this range to resolve the issue.
As a temporary workaround, consider restricting the use of Freemarker tags to minimize the risk of exploitation. Avoid using unintentional expressions in Freemarker tags until the issue is resolved.
Exploit
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Struts