You are here

Home › Apache Struts2 Vulnerabilites S2-017, S2-018, S2-019

Apache Struts2 Vulnerabilites S2-017, S2-018, S2-019

Submitted on 1. October 2013 - 14:05 by rischi.
Last update on 1. October 2013 - 15:34.
IDs: 
CVE-2013-2248, CVE-2013-4310, CVE-2013-4316, S2-017, S2-018, S2-019
Keywords: 
struts2, DMI
Description: 

Three new Apache Struts2 vulnerabilities (S2-017, S2-018, S-019) have been released. An attacker may use

  • S2-017 for phishing attacks via crafted URLs
  • S2-018 to bypass Struts2 security constraints
  • S2-019 for other unspecified attacks related to dynamic method invocation

Affected Struts2 versions are 2.0.0 up to 2.3.15.1.

Airlock is not affected because Apache Struts2 is not installed/used in Airlock.

Resolution: 

If you are using Apache Struts2 on a back-end system we strongly recommend to update Struts2 to version 2.3.15.2 or higher.

Component: 
Airlock
Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
Back-ends may be vulnerable, see resolution
Reference: 
Apache Struts2 Security Bulletins
© Ergon Informatik AG