CVE-2018-11776

Priority
Description
Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible
Remote Code Execution when alwaysSelectFullNamespace is true (either by
user or a plugin like Convention Plugin) and then: results are used with no
namespace and in same time, its upper package have no or wildcard namespace
and similar to results, same possibility when using url tag which doesn't
have value and action set and in same time, its upper package have no or
wildcard namespace.
Notes
Package
Upstream:not-affected (debian: Specific to 2.x)
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was not-affected [debian: Specific to 2.x])
Patches:
More Information

Updated: 2021-10-21 05:40:39 UTC (commit 1bbbce2fb1a3c15b20fcf10f0073e1fb6ad43ae6)