CVE-2010-1870

Publication date 17 August 2010

Last updated 24 July 2024

Ubuntu priority

The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the "#" protection mechanism in ParameterInterceptors via the (1) #context, (2) #_memberAccess, (3) #root, (4) #this, (5) #_typeResolver, (6) #_classResolver, (7) #_traceEvaluations, (8) #_lastEvaluation, (9) #_keepLastEvaluation, and possibly other OGNL context variables, a different vulnerability than CVE-2008-6504.

From the Ubuntu Security Team

sbeattie> we do not have struts2 in the archive (yet)

Status

Show unmaintained releases

Package	Ubuntu Release	Status
libstruts1.2-java	10.04 LTS lucid	Not affected
	9.10 karmic	Not affected
	9.04 jaunty	Not affected
	8.04 LTS hardy	Not affected
	6.06 LTS dapper	Not affected

References

Other references

https://www.cve.org/CVERecord?id=CVE-2010-1870