Candidate: CVE-2010-1870
PublicDate: 2010-08-17 20:00:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1870
Description:
 The OGNL extensive expression evaluation capability in XWork in Struts
 2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly
 other products, uses a permissive whitelist, which allows remote attackers
 to modify server-side context objects and bypass the "#" protection
 mechanism in ParameterInterceptors via the (1) #context, (2)
 #_memberAccess, (3) #root, (4) #this, (5) #_typeResolver, (6)
 #_classResolver, (7) #_traceEvaluations, (8) #_lastEvaluation, (9)
 #_keepLastEvaluation, and possibly other OGNL context variables, a
 different vulnerability than CVE-2008-6504.
Ubuntu-Description:
  sbeattie> we do not have struts2 in the archive (yet)
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS: 

Patches_libstruts1.2-java:
upstream_libstruts1.2-java: released (2.2.1)
dapper_libstruts1.2-java: not-affected (1.2.9-1ubuntu1)
hardy_libstruts1.2-java: not-affected (1.2.9-3)
jaunty_libstruts1.2-java: not-affected (1.2.9-3)
karmic_libstruts1.2-java: not-affected (1.2.9-3)
lucid_libstruts1.2-java: not-affected (1.2.9-3.1)
devel_libstruts1.2-java: not-affected (1.2.9-4)