struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rgm <str...@rgm.nu>
Subject Are S2-018 and S2-019 serious / remotely exploitable?
Date Wed, 18 Sep 2013 15:09:43 GMT
Are S2-018 and S2-019 as serious as these issues that prompted 2.3.15.1?
 Should I rush to upgrade clients in the field to 2.3.15.2 as soon as it's
available?

As a reminder, these issues were fixed in 2.3.15.1, and one was marked
highly critical:

   - CVE 2013-2251 -
S2-016<http://struts.apache.org/release/2.3.x/docs/s2-016.html> -
   In Struts 2 before 2.3.15.1 the information following "action:",
   "redirect:" or "redirectAction:" is not properly sanitized.
   - CVE 2013-2248 -
S2-017<http://struts.apache.org/release/2.3.x/docs/s2-017.html> -
   In Struts 2 before 2.3.15.1 the information following "redirect:" or
   "redirectAction:" can easily be manipulated to redirect to an arbitrary
   location.


Unsure about appropriate panic level,
-rgm

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message