Test ID:	1.3.6.1.4.1.25623.1.0.801663
Category:	Web application abuses
Title:	Apache Struts Security Update (S2-005) - Active Check
Summary:	Apache Struts is prone to a remote command execution; (RCE) vulnerability.
Description:	Summary: Apache Struts is prone to a remote command execution (RCE) vulnerability. Vulnerability Insight: The flaw is due to an error in 'OGNL' extensive expression evaluation capability in XWork in Struts, uses as permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the '#' protection mechanism in ParameterInterceptors via various variables. Vulnerability Impact: Successful exploitation will allow an attacker to manipulate server-side context objects with the privileges of the user running the application. Affected Software/OS: Apache Struts 2.0.0 through 2.1.8.1. Solution: Update to version 2.2.1 or later. CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2010-1870 BugTraq ID: 41592 http://www.securityfocus.com/bid/41592 http://www.exploit-db.com/exploits/14360 http://seclists.org/fulldisclosure/2010/Jul/183 http://seclists.org/fulldisclosure/2020/Oct/23 http://blog.o0o.nu/2010/07/cve-2010-1870-struts2xwork-remote.html http://packetstormsecurity.com/files/159643/LISTSERV-Maestro-9.0-8-Remote-Code-Execution.html http://www.osvdb.org/66280 http://secunia.com/advisories/59110 http://securityreason.com/securityalert/8345
Copyright	Copyright (C) 2010 Greenbone Networks GmbH

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.