Severity
Medium
Analysis Summary
CVE-2019-0230
Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVE-2019-0233
Apache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail.
Impact
- Gain Access
- Denial of service
Affected Vendors
Apache
Affected Products
- Apache Struts 2.0.1
- Apache Struts 2.0.5
- Apache Struts 2.0.6
- Apache Struts 2.0.9
Remediation
Refer to Apache Struts 2 Documentation S2-060 for patch, upgrade or suggested workaround information.