Apache Struts2 vulnerabilities discovered while processing malformed XSLT files

Overview :

A local code execution issue exists in Apache Struts2 when processing malformed XSLT files, which could let a malicious user upload and execute arbitrary files.

Affected Product(s) :

Apache Struts2

Vulnerability Details :

CVE ID :

CVE-2012-1592

It was reported that Apache Struts2 suffers from a local code execution flaw when processing malformed XSLT files. This could allow a malicious remote user able to upload an arbitrary file and then view it (such as a graphics file), and execute arbitrary code with the privileges of the struts2 process user.

NOTE: During normal usage, applications that receive untrusted input/files from remote users are expected to properly sanity-check the file and, if nothing else, not immediately make the file uploaded by an untrusted user, available to an untrusted user, without first checking the file.

http://seclists.org/bugtraq/2012/Mar/110

Remediation / Fixes :

The products that included the Struts 2 artefacts in their source jars:
Fuse Service Works 6.0.0
Single Sign On 7.3.0+

If you have used the source package from one of these products to build artefacts on your system, you should do the following to remove potentially affected jars:
1. Run ‘find . -name struts2*.jar’ under the source location
2. Remove any files found
This will not affect the product, as the jar is included with the source of google-guice, but no functionality requiring struts2 is implemented.

Apache Struts2 vulnerabilities discovered while processing malformed XSLT files

Remediation / Fixes :

Common Vulnerabilityies and Exposures

Contact us to get started

CVE-2022-1183 : Destroying a TLS session early causes assertion failure

CVE-2022-30049 : SSRF Vulnerability

CVE-2022-24878 : Improper Path Handling In Kustomization Files Allows For Denial Of Service