Apache Struts 2 < 2.3.29 DevMode Remote Code Execution

critical Web App Scanning Plugin ID 112742

Language:

Synopsis

Apache Struts 2 < 2.3.29 DevMode Remote Code Execution

Description

Apache Struts 2 installed on the remote host is configured to operate in development mode (DevMode) and is in a version less than or equal to 2.3.29. While this environment can help speed up development of web applications, it is possible to abuse this mode to run arbitrary commands on the server.

Solution

Upgrade to Apache Struts 2 2.3.29 or later.

See Also

https://struts.apache.org/core-developers/development-mode.html

https://struts.apache.org/security/#disable-devmode

Plugin Details

Severity: Critical

ID: 112742

Type: remote

Family: Component Vulnerability

Published: 4/13/2021

Updated: 9/7/2021

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS Score Source: Tenable

Vulnerability Information

CPE: cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*

Exploit Available: true

Exploit Ease: Exploits are available

Reference Information

CWE: 94

OWASP: 2010-A1, 2013-A1, 2013-A9, 2017-A1, 2017-A9, 2021-A3, 2021-A6

WASC: OS Commanding

CAPEC: 242, 35, 77

DISA STIG: APSC-DV-002510, APSC-DV-002630

HIPAA: 164.306(a)(1), 164.306(a)(2)

ISO: 27001-A.14.2.5

NIST: sp800_53-CM-6b, sp800_53-SI-10

OWASP API: 2019-API7, 2019-API8, 2023-API8

OWASP ASVS: 4.0.2-14.2.1, 4.0.2-5.2.5

PCI-DSS: 3.2-6.2, 3.2-6.5.1