CVE-2007-4556: OpenSymphony XWork vulnerable to improper input validation
6.8
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.8423%
CWE
Published
5/1/2022
Updated
9/11/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
AV:N/AC:M/Au:N/C:P/I:P/A:P
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
opensymphony:xwork | maven | < 1.2.3 | 1.2.3 |
opensymphony:xwork | maven | >= 2.0.0, <= 2.0.3 | 2.0.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from recursive OGNL evaluation in XWork's expression handling. The core functions are:
- OgnlValueStack.findValue() - Directly evaluates OGNL expressions from user input
- TextParseUtil.translateVariables() - Processes %{...} syntax patterns These would appear in stack traces when processing malicious payloads containing OGNL expressions. The Struts S2-001 documentation explicitly references these expression evaluation patterns, and the XWork 2.0.4 patch notes indicate changes to OGNL handling in these areas.