Apache Struts2 S2-057 RCE

By
Jijith Rajan
Published on
16 Jun 2021
Vulnerability

Apache Struts is a free and open-source framework used to build Java web applications. Apache Struts2 S2-057 has a remote code execution vulnerability. When alwaysSelectFullNamespace is true (either by the user or by a plugin like Convention Plugin), Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 are vulnerable to Remote Code Execution. Results are used with no namespace and, at the same time, its upper package has no or wildcard namespace; similarly, when using url tags with no value and action set and, at the same time, its upper package has no or wildcard namespace; and, similarly to results, when using url tags with no value and action set and, at the same time, its upper package has no or wildcard namespace.

Mitigation / Precaution

  • Don’t use Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16

Written by
Jijith Rajan
Jijith Rajan
Cyber Security Engineer
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days