CVE-2011-2088:
XWork in Apache Struts Reveals Sensitive Information
5
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.84865%
CWE
Published
5/14/2022
Updated
8/17/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
AV:N/AC:L/Au:N/C:P/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.apache.struts.xwork:xwork-core | maven | < 2.2.2 | 2.2.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from unescaped user-controlled input in error messages generated by XWork. The commit diff shows the patch added StringEscapeUtils.escapeHtml()
and escapeJavaScript()
to sanitize 'actionName' and 'methodName' in DefaultActionProxy
's constructor. Prior to this fix, these parameters were stored raw, leading to reflected XSS and information disclosure when invalid actions/methods were requested. The JIRA ticket WW-3579 and CVE description explicitly link this code path to the vulnerability.