Permissive List of Allowed Inputs in com.opensymphony:xwork
CVE-2010-1870
- com.opensymphony:xwork
- com.opensymphony:xwork-core
- opensymphony:xwork
- opensymphony:xwork-2.0-beta
- org.apache.struts:struts2-core
Summary
The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the "#" protection mechanism in "ParameterInterceptors" via the (1) #context, (2) #_memberAccess, (3) #root, (4) #this, (5) #_typeResolver, (6) #_classResolver, (7) #_traceEvaluations, (8) #_lastEvaluation, (9) #_keepLastEvaluation, and possibly other OGNL context variables, a different vulnerability than CVE-2008-6504.
- LOW
- NETWORK
- HIGH
- UNCHANGED
- NONE
- NONE
- NONE
- HIGH
CWE-183 - Permissive List of Allowed Inputs
The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.
References
Advisory Timeline
- Published
