Security News > 2020 > August > Potential Apache Struts 2 RCE flaw fixed, PoCs released
Have you already updated your Apache Struts 2 to version 2.5.22, released in November 2019? You might want to, and quickly, as information about a potential RCE vulnerability and PoC exploits for it have been published.
"We continue to urge developers building upon Struts 2 to not use % syntax referencing unvalidated user modifiable input in tag attributes, since this is the ultimate fix for this class of vulnerabilities," René Gielen, Struts Project Management Committee chair, added.
Apache Struts 2 is a widely-used open source web application framework for developing Java EE web applications.
A few years ago, analyst Fintan Ryan at RedMonk estimated that nearly 65% of Fortune 100 firms actively use web applications built with the Apache Struts framework.
A security hole in Apache Struts 2 is how hackers managed to get in to execute the infamous 2017 Equifax data breach, after the company's site administrators failed to quickly implement the security update that fixed it.
News URL
http://feedproxy.google.com/~r/HelpNetSecurity/~3/bi7qa4GgFhU/
Related news
- POC exploit code published for 9.8-rated Apache HugeGraph RCE flaw (source)
- PoC exploit released for RCE zero-day in D-Link EXO AX4800 routers (source)
- High-risk Atlassian Confluence RCE fixed, PoC available (CVE-2024-21683) (source)
- PoC for Progress Telerik RCE chain released (CVE-2024-4358, CVE-2024-1800) (source)
- Week in review: Atlassian Confluence RCE PoC, new Kali Linux, Patch Tuesday forecast (source)