New QID for Apache Struts "ParametersInterceptor" Flaw

Document created by Dave Ferguson Employee on Mar 26, 2018Last modified by Dave Ferguson Employee on Mar 26, 2018
Version 3Show Document
  • View in full screen mode

Hello all -


The Qualys WAS scanning engine has been updated to include a new detection for an Apache Struts remote code execution (RCE) vulnerability.  This is part of an ongoing effort to provide comprehensive support for known Struts vulnerabilities.  The CVE ID is CVE-2011-3923.  This flaw exists in "ParametersInterceptor" and allows an attacker to put arbitrary OGNL statements into any String variable exposed by an action and have it evaluated as an OGNL expression.  More information is available in Apache Struts Security Bulletin S2-009


QID 150193 will be reported if this vulnerability is detected during a scan.


Vulnerable versions include Struts 2.0.0 to Struts  Upgrade to the latest version of the Apache Struts 2 framework to remediate this vulnerability.