GHSA-wxw2-2mx5-c5qf

Source

https://github.com/advisories/GHSA-wxw2-2mx5-c5qf

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-wxw2-2mx5-c5qf/GHSA-wxw2-2mx5-c5qf.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-wxw2-2mx5-c5qf

Aliases

CVE-2008-6504

Published

2022-05-17T02:11:15Z

Modified

2024-11-28T05:33:07.990275Z

Summary

Improper Input Validation in OpenSymphony XWork

Details

ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Apache Struts and other products, does not properly restrict # (pound sign) references to context objects, which allows remote attackers to execute Object-Graph Navigation Language (OGNL) statements and modify server-side context objects, as demonstrated by use of a \u0023 representation for the # character.

Database specific

{
    "nvd_published_at": "2009-03-23T14:19:00Z",
    "cwe_ids": [
        "CWE-20"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-01T22:34:44Z"
}

References

Affected packages

Maven / com.opensymphony:xwork

Package

Name: com.opensymphony:xwork; View open source insights on deps.dev
Purl: pkg:maven/com.opensymphony/xwork

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.0.6

Affected versions

2.*

2.0.4

2.0.5

Maven / com.opensymphony:xwork

Package

Name: com.opensymphony:xwork; View open source insights on deps.dev
Purl: pkg:maven/com.opensymphony/xwork

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.1.0

Fixed

2.1.2

Affected versions

2.*

2.1.0

2.1.1