The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the "#" protection mechanism in ParameterInterceptors via the (1) #context, (2) #_memberAccess, (3) #root, (4) #this, (5) #_typeResolver, (6) #_classResolver, (7) #_traceEvaluations, (8) #_lastEvaluation, (9) #_keepLastEvaluation, and possibly other OGNL context variables, a different vulnerability than CVE-2008-6504.
2010-08-17T20:00:03.407
2025-04-11T00:51:21.963
Deferred
CVSSv2: 5.0 (MEDIUM)
AV:N/AC:L/Au:N/C:N/I:P/A:N
10.0
2.9
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Application | apache | struts | 2.0.0 | Yes |
| Application | apache | struts | 2.0.1 | Yes |
| Application | apache | struts | 2.0.2 | Yes |
| Application | apache | struts | 2.0.3 | Yes |
| Application | apache | struts | 2.0.4 | Yes |
| Application | apache | struts | 2.0.5 | Yes |
| Application | apache | struts | 2.0.6 | Yes |
| Application | apache | struts | 2.0.7 | Yes |
| Application | apache | struts | 2.0.8 | Yes |
| Application | apache | struts | 2.0.9 | Yes |
| Application | apache | struts | 2.0.10 | Yes |
| Application | apache | struts | 2.0.11 | Yes |
| Application | apache | struts | 2.0.11.1 | Yes |
| Application | apache | struts | 2.0.11.2 | Yes |
| Application | apache | struts | 2.0.12 | Yes |
| Application | apache | struts | 2.0.13 | Yes |
| Application | apache | struts | 2.0.14 | Yes |
| Application | apache | struts | 2.1.0 | Yes |
| Application | apache | struts | 2.1.1 | Yes |
| Application | apache | struts | 2.1.2 | Yes |
| Application | apache | struts | 2.1.3 | Yes |
| Application | apache | struts | 2.1.4 | Yes |
| Application | apache | struts | 2.1.5 | Yes |
| Application | apache | struts | 2.1.6 | Yes |
| Application | apache | struts | 2.1.8 | Yes |
| Application | apache | struts | 2.1.8.1 | Yes |