A command execution vulnerability exists in the web application framework Apache Struts2. The vulnerability is due to insufficient input validation in the ParametersInterceptor component when parsing incoming HTTP requests. A remote attacker can leverage this vulnerability by sending a crafted HTTP request to a target system.

In an attack scenario, where arbitrary commands are executed on the target machine, the malicious command will be executed within the security context of the target service.

The vendor, Apache, has provided a source patch for this vulnerability:

http://svn.apache.org/viewvc?view=revision&revision=956389

• Apache Software Foundation Struts 2.x prior to 2.2.1
• OpenSymphony.com XWorks 2.x

• Access vector is NETWORK
• Access complexity is LOW
• Level of authentication required is NONE
• Impact of this vulnerability on data confidentiality is PARTIAL
• Impact of this vulnerability on data integrity is PARTIAL
• Impact of this vulnerability on data availability is PARTIAL

• The exploitability level of this vulnerability is PROOF OF CONCEPT
• The remediation level of this vulnerability is OFFICIAL FIX
• The report confidence level of this vulnerability is CONFIRMED