Security News > 2020 > August > Potential Apache Struts 2 RCE flaw fixed, PoCs released

Potential Apache Struts 2 RCE flaw fixed, PoCs released
2020-08-17 10:03

Have you already updated your Apache Struts 2 to version 2.5.22, released in November 2019? You might want to, and quickly, as information about a potential RCE vulnerability and PoC exploits for it have been published.

"We continue to urge developers building upon Struts 2 to not use % syntax referencing unvalidated user modifiable input in tag attributes, since this is the ultimate fix for this class of vulnerabilities," René Gielen, Struts Project Management Committee chair, added.

Apache Struts 2 is a widely-used open source web application framework for developing Java EE web applications.

A few years ago, analyst Fintan Ryan at RedMonk estimated that nearly 65% of Fortune 100 firms actively use web applications built with the Apache Struts framework.

A security hole in Apache Struts 2 is how hackers managed to get in to execute the infamous 2017 Equifax data breach, after the company's site administrators failed to quickly implement the security update that fixed it.


News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/bi7qa4GgFhU/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Apache 281 13 544 711 366 1634