Miggo Logo

CVE-2011-2088:
XWork in Apache Struts Reveals Sensitive Information

5

CVSS Score

Basic Information

EPSS Score
0.84865%
Published
5/14/2022
Updated
8/17/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
AV:N/AC:L/Au:N/C:P/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.struts.xwork:xwork-coremaven< 2.2.22.2.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unescaped user-controlled input in error messages generated by XWork. The commit diff shows the patch added StringEscapeUtils.escapeHtml() and escapeJavaScript() to sanitize 'actionName' and 'methodName' in DefaultActionProxy's constructor. Prior to this fix, these parameters were stored raw, leading to reflected XSS and information disclosure when invalid actions/methods were requested. The JIRA ticket WW-3579 and CVE description explicitly link this code path to the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

XWork *.*.* in *p**** Struts *.*.*, *n* Op*nSymp*ony XWork in Op*nSymp*ony W**Work, *llows r*mot* *tt**k*rs to o*t*in pot*nti*lly s*nsitiv* in*orm*tion **out int*rn*l J*v* *l*ss p*t*s vi* v**tors involvin* *n s:su*mit *l*m*nt *n* * non*xist*nt m*t*o*

Reasoning

T** vuln*r**ility st*ms *rom un*s**p** us*r-*ontroll** input in *rror m*ss***s **n*r*t** *y XWork. T** *ommit *i** s*ows t** p*t** ***** `Strin**s**p*Utils.*s**p**tml()` *n* `*s**p*J*v*S*ript()` to s*nitiz* '**tionN*m*' *n* 'm*t*o*N*m*' in `****ult**