CVE-2018-11776

Name of the Vulnerable Software and Affected Versions Apache Struts versions 2.3 to 2.3.34 Apache Struts versions 2.5 to 2.5.16

Description The issue is related to errors in handling user-input data, which can allow a remote attacker to execute arbitrary code. This can occur when alwaysSelectFullNamespace is true, either by user or a plugin like Convention Plugin, and results are used with no namespace while its upper package has no or wildcard namespace. A similar possibility exists when using a url tag with no value and action set, and its upper package has no or wildcard namespace.

Recommendations For Apache Struts versions 2.3 to 2.3.34, consider disabling the use of results with no namespace and the url tag with no value and action set until a patch is available. For Apache Struts versions 2.5 to 2.5.16, restrict access to the alwaysSelectFullNamespace feature and avoid using the url tag with no value and action set until the issue is resolved. As a temporary workaround, consider setting alwaysSelectFullNamespace to false to minimize the risk of exploitation.