CVE-2018-11776 (retired)

Priority
Description
Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible
Remote Code Execution when alwaysSelectFullNamespace is true (either by
user or a plugin like Convention Plugin) and then: results are used with no
namespace and in same time, its upper package have no or wildcard namespace
and similar to results, same possibility when using url tag which doesn't
have value and action set and in same time, its upper package have no or
wildcard namespace.
Notes
Package
Upstream:not-affected (debian: Specific to 2.x)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
More Information

Updated: 2019-10-09 08:02:51 UTC (commit 33aea848a182c0afcd0a3f927a01a7ecd9a061ee)