Description
A vulnerability introduced by forcing parameter inclusion in the URL and Anchor Tag allows remote command execution, session access and manipulation and XSS attacks. A request that included a specially crafted request parameter could be used to inject arbitrary OGNL code into the stack, afterward used as request parameter of an URL or A tag , which will cause a further evaluation.
The issue was originally addressed by Struts 2.3.14.1 and Security Announcement S2-013. However, the solution introduced with 2.3.14.1 did not address all possible attack vectors, such that every version of Struts 2 before 2.3.14.2 is still vulnerable to such attacks.
Remediation
It is strongly recommended to upgrade to Struts 2.3.14.2, which contains the corrected OGNL and XWork library.
References
Related Vulnerabilities
MySQL CVE-2018-2758 Vulnerability (CVE-2018-2758)
Squid Improper Input Validation Vulnerability (CVE-2020-24606)
Drupal Core 5.x Arbitrary Code Execution (5.0)
Magento Authorization Bypass Through User-Controlled Key Vulnerability (CVE-2019-7890)
Next.js Improper Check for Unusual or Exceptional Conditions Vulnerability (CVE-2022-36046)