Apache Struts 2 ClassLoader Manipulation Incomplete Fix for Security Bypass

This script is Copyright (C) 2014-2015 Tenable Network Security, Inc.

Synopsis :

The remote web server contains a web application that uses a Java
framework that is affected by a security bypass vulnerability.

Description :

The remote web application appears to use Struts 2, a web framework
that utilizes OGNL (Object-Graph Navigation Language) as an expression
language. The version of Struts 2 in use is affected by a security
bypass vulnerability, possibly due to an incomplete fix for
ClassLoader manipulation implemented in version

Note that this plugin will only report the first vulnerable instance
of a Struts 2 application.

See also :


Solution :

Upgrade to version or later.

Risk factor :

Medium / CVSS Base Score : 5.0
CVSS Temporal Score : 4.3
Public Exploit Available : true

Family: Denial of Service

Nessus Plugin ID: 73763 ()

Bugtraq ID: 67064

CVE ID: CVE-2014-0112