Apache Struts 2.3.20 Incorrect Default Exclude Pattern
Medium Nessus Plugin ID 83487
SynopsisThe remote web server hosts a web application that uses a Java framework that contains incorrect default exclude patterns.
DescriptionThe remote web server is using Apache Struts version 2.3.20. It is, therefore, affected by an issue where the default exclude patterns are incorrect when using default settings. This allows a remote attacker to impact the internal application's state.
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
SolutionUpgrade to Apache Struts version 220.127.116.11 or later.