Miggo Logo
Miggo Vulnerability Database
CVE-2019-0233

CVE-2019-0233:
Improper Preservation of Permissions in Apache Struts

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2019-0233
GHSA ID
GHSA-ccp5-gg58-pxfm
EPSS Score
0.88916%
CWE
CWE-281
Published
5/24/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.struts:struts2-coremaven>= 2.0.0, < 2.5.222.5.22

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from Struts' failure to exclude java.io/nio packages in property evaluation. The ParametersInterceptor handles parameter binding using OGNL, and the OgnlUtil class performs the actual property operations. The patch modifies excluded packages in struts-default.xml (org/apache/struts2/default.properties) which affects these components' security checks. These functions would appear in stack traces when processing malicious file upload parameters that access File object properties.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n ****ss p*rmission ov*rri** in *p**** Struts *.*.* to *.*.** m*y **us* * **ni*l o* S*rvi** w**n p*r*ormin* * *il* uplo**.

Reasoning

T** vuln*r**ility st*ms *rom Struts' **ilur* to *x*lu** j*v*.io/nio p**k***s in prop*rty *v*lu*tion. T** P*r*m*t*rsInt*r**ptor **n*l*s p*r*m*t*r *in*in* usin* O*NL, *n* t** O*nlUtil *l*ss p*r*orms t** **tu*l prop*rty op*r*tions. T** p*t** mo*i*i*s *x