In association with heise online

06 November 2008, 11:05

Patch for Apache Struts closes two holes

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Apache Struts, an open source framework for Java-based web applications, has been found to contain two vulnerabilities. A directory traversal vulnerability in the "FilterDispatcher" and "DefaultStaticContentLoader" classes allows attackers to traverse the server path and download files without permission. Another vulnerability allows server side objects to be manipulated using specially crafted OGNL (Object-Graph Navigation Language) commands. This problem is rated as critical by the developers.

Apache Struts versions 2.0.0 up to and including are affected. Version 2.0.12 no longer contains the flaws and the developers urgently recommend that users update immediately.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit