Apache Struts2 S2-057 RCE

By
Jijith Rajan
Published on
16 Jun 2021
Vulnerability

Apache Struts is a free and open-source framework used to build Java web applications. Apache Struts2 S2-057 has a remote code execution vulnerability. When alwaysSelectFullNamespace is true (either by the user or by a plugin like Convention Plugin), Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 are vulnerable to Remote Code Execution. Results are used with no namespace and, at the same time, its upper package has no or wildcard namespace; similarly, when using url tags with no value and action set and, at the same time, its upper package has no or wildcard namespace; and, similarly to results, when using url tags with no value and action set and, at the same time, its upper package has no or wildcard namespace.

Mitigation / Precaution

  • Don’t use Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Jijith Rajan
Jijith Rajan
Cyber Security Engineer
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment