1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
Candidate: CVE-2010-1870
PublicDate: 2010-08-17
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1870
Description:
The OGNL extensive expression evaluation capability in XWork in Struts
2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly
other products, uses a permissive whitelist, which allows remote attackers
to modify server-side context objects and bypass the "#" protection
mechanism in ParameterInterceptors via the (1) #context, (2)
#_memberAccess, (3) #root, (4) #this, (5) #_typeResolver, (6)
#_classResolver, (7) #_traceEvaluations, (8) #_lastEvaluation, (9)
#_keepLastEvaluation, and possibly other OGNL context variables, a
different vulnerability than CVE-2008-6504.
Ubuntu-Description:
sbeattie: we do not have struts2 in the archive (yet)
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
Patches_libstruts1.2-java:
upstream_libstruts1.2-java: released (2.2.1)
dapper_libstruts1.2-java: not-affected (1.2.9-1ubuntu1)
hardy_libstruts1.2-java: not-affected (1.2.9-3)
jaunty_libstruts1.2-java: not-affected (1.2.9-3)
karmic_libstruts1.2-java: not-affected (1.2.9-3)
lucid_libstruts1.2-java: not-affected (1.2.9-3.1)
devel_libstruts1.2-java: not-affected (1.2.9-4)
|