GHSA-wxw2-2mx5-c5qf

Suggest an improvement
Source
https://github.com/advisories/GHSA-wxw2-2mx5-c5qf
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-wxw2-2mx5-c5qf/GHSA-wxw2-2mx5-c5qf.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-wxw2-2mx5-c5qf
Aliases
  • CVE-2008-6504
Published
2022-05-17T02:11:15Z
Modified
2024-11-28T05:38:17.234814Z
Summary
Improper Input Validation in OpenSymphony XWork
Details

ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Apache Struts and other products, does not properly restrict # (pound sign) references to context objects, which allows remote attackers to execute Object-Graph Navigation Language (OGNL) statements and modify server-side context objects, as demonstrated by use of a \u0023 representation for the # character.

Database specific
{
    "nvd_published_at": "2009-03-23T14:19:00Z",
    "cwe_ids": [
        "CWE-20"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-01T22:34:44Z"
}
References

Affected packages

Maven / com.opensymphony:xwork

Package

Name
com.opensymphony:xwork
View open source insights on deps.dev
Purl
pkg:maven/com.opensymphony/xwork

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.6

Affected versions

2.*

2.0.4
2.0.5

Maven / com.opensymphony:xwork

Package

Name
com.opensymphony:xwork
View open source insights on deps.dev
Purl
pkg:maven/com.opensymphony/xwork

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.1.0
Fixed
2.1.2

Affected versions

2.*

2.1.0
2.1.1