5

CVSS Score

Basic Information

CVE ID

CVE-2010-1870

GHSA ID

GHSA-x5fc-pgpx-59j5

EPSS Score

0.99826%

CWE

Published

5/13/2022

Updated

8/26/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2010-1870

CVE-2010-1870: Server side object manipulation in Apache Struts

OGNL provides, among other features, extensive expression evaluation capabilities. This vulnerability allows a malicious user to bypass the '#'-usage protection built into the ParametersInterceptor, thus being able to manipulate server side context objects. This behavior was already addressed in S2-003, but it turned out that the resulting fix based on whitelisting acceptable parameter names closed the vulnerability only partially.

(GitHub Advisory)

5

CVSS Score

Basic Information

CVE ID

CVE-2010-1870

GHSA ID

GHSA-x5fc-pgpx-59j5

EPSS Score

0.99826%

CWE

Published

5/13/2022

Updated

8/26/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

AV:N/AC:L/Au:N/C:N/I:P/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.struts:struts2-core	maven	< 2.2.1	2.2.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from how ParametersInterceptor handles parameter names as OGNL expressions. Despite a previous fix (S2-003) that attempted to block '#' characters, attackers bypassed it using Unicode encoding. The intercept() method in ParametersInterceptor processes these parameters and passes them to OGNL's setValue, which evaluates the expressions. The OgnlUtil.setValue method lacks sufficient safeguards against context object manipulation (e.g., modifying #_memberAccess to enable static method execution). The combination of these functions' behavior allowed attackers to inject malicious OGNL expressions, as confirmed by exploit details and the CVE description.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

O*NL provi**s, *mon* ot**r ***tur*s, *xt*nsiv* *xpr*ssion *v*lu*tion **p**iliti*s. T*is vuln*r**ility *llows * m*li*ious us*r to *yp*ss t** '#'-us*** prot**tion *uilt into t** P*r*m*t*rsInt*r**ptor, t*us **in* **l* to m*nipul*t* s*rv*r si** *ont*xt o

Reasoning

T** vuln*r**ility st*ms *rom *ow `P*r*m*t*rsInt*r**ptor` **n*l*s p*r*m*t*r n*m*s *s O*NL *xpr*ssions. **spit* * pr*vious *ix (S*-***) t**t *tt*mpt** to *lo*k '#' ***r**t*rs, *tt**k*rs *yp*ss** it usin* Uni*o** *n*o*in*. T** `int*r**pt()` m*t*o* in `P

5

Basic Information

Concerned about an active attack path?

CVE-2010-1870: Server side object manipulation in Apache Struts

5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI