CVE-2018-11776 in Ubuntu

CVE-2018-11776

Priority

Description

Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible
Remote Code Execution when alwaysSelectFullNamespace is true (either by
user or a plugin like Convention Plugin) and then: results are used with no
namespace and in same time, its upper package have no or wildcard namespace
and similar to results, same possibility when using url tag which doesn't
have value and action set and in same time, its upper package have no or
wildcard namespace.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11776
https://cwiki.apache.org/confluence/display/WW/S2-057
http://www.securitytracker.com/id/1041547
https://security.netapp.com/advisory/ntap-20180822-0001/

Notes

Package

Source: libstruts1.2-java (LP Ubuntu Debian)

Upstream:	not-affected (debian: Specific to 2.x)
Ubuntu 18.04 LTS:	DNE
Ubuntu 14.04 ESM:	DNE (trusty was not-affected [debian: Specific to 2.x])

Patches:

More Information

Updated: 2022-04-13 13:14:33 UTC (commit f411bd370d482ef4385c4e751d121a4055fbc009)