CVE-2008-6504
published 2009-03-23CVE-2008-6504: ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Apache Struts and other products, does not properly restrict…
PriorityP348medium5CVSS 2.0
AVNACLAuNCNIPAN
EXPLOIT
EPSS
39.40%
98.4th percentile
ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Apache Struts and other products, does not properly restrict # (pound sign) references to context objects, which allows remote attackers to execute Object-Graph Navigation Language (OGNL) statements and modify server-side context objects, as demonstrated by use of a \u0023 representation for the # character.
Affected
34 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect HTTP parameters containing Unicode-escaped pound sign (\u0023) used to bypass the '#' restriction in ParameterInterceptor and inject OGNL expressions ↗
- →Monitor HTTP request parameters for OGNL context variable references such as #context, #_memberAccess, #root, #this, #_typeResolver, #_classResolver, #_traceEvaluations, #_lastEvaluation, #_keepLastEvaluation as indicators of exploitation attempts ↗
- ·CVE-2008-6504 affects OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2; the exploit payload using \u0023 to bypass '#' filtering is specific to these vulnerable versions ↗
- ·CVE-2008-6504 and CVE-2010-1870 are distinct vulnerabilities sharing the same ParameterInterceptor attack surface; detections should account for both bypass techniques (Unicode escape and permissive whitelist) ↗
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Improper Input Validation in OpenSymphony XWork
osv·2022-05-17
CVE-2008-6504 [MEDIUM] Improper Input Validation in OpenSymphony XWork
Improper Input Validation in OpenSymphony XWork
ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Apache Struts and other products, does not properly restrict # (pound sign) references to context objects, which allows remote attackers to execute Object-Graph Navigation Language (OGNL) statements and modify server-side context objects, as demonstrated by use of a \u0023 representation for the # character.
GHSA
Improper Input Validation in OpenSymphony XWork
ghsa·2022-05-17
CVE-2008-6504 [MEDIUM] CWE-20 Improper Input Validation in OpenSymphony XWork
Improper Input Validation in OpenSymphony XWork
ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Apache Struts and other products, does not properly restrict # (pound sign) references to context objects, which allows remote attackers to execute Object-Graph Navigation Language (OGNL) statements and modify server-side context objects, as demonstrated by use of a \u0023 representation for the # character.
Red Hat
Struts2/WebWorks/XWork: ParameterInterceptors bypass allows remote command execution
vendor_redhat·2010-07-25·CVSS 5.0
CVE-2010-1870 [MEDIUM] Struts2/WebWorks/XWork: ParameterInterceptors bypass allows remote command execution
Struts2/WebWorks/XWork: ParameterInterceptors bypass allows remote command execution
The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the "#" protection mechanism in ParameterInterceptors via the (1) #context, (2) #_memberAccess, (3) #root, (4) #this, (5) #_typeResolver, (6) #_classResolver, (7) #_traceEvaluations, (8) #_lastEvaluation, (9) #_keepLastEvaluation, and possibly other OGNL context variables, a different vulnerability than CVE-2008-6504.
Statement: A previous statement by Red Hat related to this CVE, prior to August 2019, said that Apache Struts 2 is not inc
Red Hat
Struts2/WebWorks/XWork: ParameterInterceptors bypass allows OGNL statement execution
vendor_redhat·2008-06-12·CVSS 5.0
CVE-2008-6504 [MEDIUM] Struts2/WebWorks/XWork: ParameterInterceptors bypass allows OGNL statement execution
Struts2/WebWorks/XWork: ParameterInterceptors bypass allows OGNL statement execution
ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Apache Struts and other products, does not properly restrict # (pound sign) references to context objects, which allows remote attackers to execute Object-Graph Navigation Language (OGNL) statements and modify server-side context objects, as demonstrated by use of a \u0023 representation for the # character.
Statement: A previous statement by Red Hat related to this CVE, prior to August 2019, said that Apache Struts 2 is not included in any Red Hat products. This earlier statement was incorrect. While Struts 2 is not actively compiled, shipped, used, or enabled in any Red Hat provided final products, and doe
No detection rules found.
Bugzilla
CVE-2008-6504 Apache Struts2/WebWorks/XWork: ParameterInterceptors bypass allows OGNL statement execution
bugzilla·2014-07-28·CVSS 5.0
CVE-2008-6504 [MEDIUM] CVE-2008-6504 Apache Struts2/WebWorks/XWork: ParameterInterceptors bypass allows OGNL statement execution
CVE-2008-6504 Apache Struts2/WebWorks/XWork: ParameterInterceptors bypass allows OGNL statement execution
It was discovered that ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Apache Struts and other products, does not properly restrict # (pound sign) references to context objects, which allows remote attackers to execute Object-Graph Navigation Language (OGNL) statements and modify server-side context objects, as demonstrated by use of a \u0023 representation for the # character.
References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-6504
http://struts.apache.org/release/2.2.x/docs/s2-003.html
https://github.com/victims/victims-cve-db/blob/master/database/java/2008/6504.yaml
Discussion:
for now i not interested to upgra
Bugzilla
CVE-2010-1870 Apache Struts2/WebWorks/XWork: ParameterInterceptors bypass allows remote command execution
bugzilla·2014-07-28·CVSS 5.0
CVE-2010-1870 [MEDIUM] CVE-2010-1870 Apache Struts2/WebWorks/XWork: ParameterInterceptors bypass allows remote command execution
CVE-2010-1870 Apache Struts2/WebWorks/XWork: ParameterInterceptors bypass allows remote command execution
It was discovered that the OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the "#" protection mechanism in ParameterInterceptors via the (1) #context, (2) #_memberAccess, (3) #root, (4) #this, (5) #_typeResolver, (6) #_classResolver, (7) #_traceEvaluations, (8) #_lastEvaluation, (9) #_keepLastEvaluation, and possibly other OGNL context variables, a different vulnerability than CVE-2008-6504.
References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1870
htt
http://fisheye6.atlassian.com/cru/CR-9/http://issues.apache.org/struts/browse/WW-2692http://jira.opensymphony.com/browse/XW-641http://osvdb.org/49732http://secunia.com/advisories/32495http://secunia.com/advisories/32497http://struts.apache.org/2.x/docs/s2-003.htmlhttp://www.securityfocus.com/bid/32101http://www.vupen.com/english/advisories/2008/3003http://www.vupen.com/english/advisories/2008/3004https://exchange.xforce.ibmcloud.com/vulnerabilities/46328http://fisheye6.atlassian.com/cru/CR-9/http://issues.apache.org/struts/browse/WW-2692http://jira.opensymphony.com/browse/XW-641http://osvdb.org/49732http://secunia.com/advisories/32495http://secunia.com/advisories/32497http://struts.apache.org/2.x/docs/s2-003.htmlhttp://www.securityfocus.com/bid/32101http://www.vupen.com/english/advisories/2008/3003http://www.vupen.com/english/advisories/2008/3004https://exchange.xforce.ibmcloud.com/vulnerabilities/46328
2009-03-23
Published