CVE-2010-1870: Server side object manipulation in Apache Struts
5
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.99826%
CWE
-
Published
5/13/2022
Updated
8/26/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
AV:N/AC:L/Au:N/C:N/I:P/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.apache.struts:struts2-core | maven | < 2.2.1 | 2.2.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from how ParametersInterceptor
handles parameter names as OGNL expressions. Despite a previous fix (S2-003) that attempted to block '#' characters, attackers bypassed it using Unicode encoding. The intercept()
method in ParametersInterceptor
processes these parameters and passes them to OGNL's setValue
, which evaluates the expressions. The OgnlUtil.setValue
method lacks sufficient safeguards against context object manipulation (e.g., modifying #_memberAccess to enable static method execution). The combination of these functions' behavior allowed attackers to inject malicious OGNL expressions, as confirmed by exploit details and the CVE description.