Apache Struts 2.x < 18.104.22.168 Request Parameter 'top' Object Access Handling Remote Manipulation
Medium Nessus Plugin ID 88714
SynopsisThe remote Windows host contains a web application that uses a Java framework that is affected by a remote manipulation vulnerability.
DescriptionThe version of Apache Struts installed on the remote Windows host is version 2.x prior to 22.214.171.124. It is, therefore, affected by a remote manipulation vulnerability due to incorrect handling of the 'top' object. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to manipulate internal components and container settings.
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
SolutionUpgrade to Apache Struts version 126.96.36.199 or later. Alternatively, apply the workaround referenced in the vendor advisory.