CVE-2010-1870
published 2010-08-17CVE-2010-1870: The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other…
PriorityP358medium5CVSS 2.0
AVNACLAuNCNIPAN
EXPLOIT
EPSS
91.08%
99.8th percentile
The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the "#" protection mechanism in ParameterInterceptors via the (1) #context, (2) #_memberAccess, (3) #root, (4) #this, (5) #_typeResolver, (6) #_classResolver, (7) #_traceEvaluations, (8) #_lastEvaluation, (9) #_keepLastEvaluation, and possibly other OGNL context variables, a different vulnerability than CVE-2008-6504.
Affected
27 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by looking for URL-encoded unicode bypass sequences (\u0023 for '#', \u003d for '=') combined with OGNL context variable names such as _memberAccess, xwork.MethodAccessor.denyMethodExecution, and @java.lang.Runtime@getRuntime in HTTP GET parameters. ↗
- →Flag HTTP requests containing the parameter patterns ('\u0023_memberAccess') or ('\u0023context') as these are the unicode-encoded OGNL '#' bypass sequences used to exploit CVE-2010-1870. ↗
- →Monitor for HTTP requests to Struts .action endpoints containing the characters \u0023 (unicode for #), \u003d (unicode for =), and @java.lang.Runtime@getRuntime in parameter names or values. ↗
- →Shodan/FOFA fingerprinting: identify exposed Struts instances via HTML body containing 'struts problem report', page title 'struts2 showcase', or HTML containing 'apache struts'.
- →For ListSERV Maestro specifically, scan HTTP responses at /lui/ and /hub/ for version strings matching 'LISTSERV Maestro 9.0-[0-8]' or 'Administration Hub 9.0-[0-8]' to identify vulnerable instances.
- ·ParametersInterceptor is enabled by default in struts-default.xml, meaning all standard Struts 2 deployments are exposed unless explicitly patched or the interceptor is reconfigured. ↗
- ·As a temporary mitigation where upgrade is not possible, use ParameterInterceptor's 'excludeParams' to whitelist only required characters (A-z0-9_.'"[]) or blacklist the characters \()@ required for exploitation. ↗
- ·The fix in Struts 2.2.0 whitelists a set of characters that excludes those required to exploit this vulnerability; deployments on Struts 2.0.0 through 2.1.8.1 remain vulnerable. ↗
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
vendor_cisco5.0MEDIUM
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Server side object manipulation in Apache Struts
osv·2022-05-13
CVE-2010-1870 [MEDIUM] Server side object manipulation in Apache Struts
Server side object manipulation in Apache Struts
OGNL provides, among other features, extensive expression evaluation capabilities. This vulnerability allows a malicious user to bypass the '#'-usage protection built into the ParametersInterceptor, thus being able to manipulate server side context objects. This behavior was already addressed in [S2-003](https://cwiki.apache.org/confluence/display/WW/S2-003), but it turned out that the resulting fix based on whitelisting acceptable parameter names closed the vulnerability only partially.
GHSA
Server side object manipulation in Apache Struts
ghsa·2022-05-13
CVE-2010-1870 [MEDIUM] Server side object manipulation in Apache Struts
Server side object manipulation in Apache Struts
OGNL provides, among other features, extensive expression evaluation capabilities. This vulnerability allows a malicious user to bypass the '#'-usage protection built into the ParametersInterceptor, thus being able to manipulate server side context objects. This behavior was already addressed in [S2-003](https://cwiki.apache.org/confluence/display/WW/S2-003), but it turned out that the resulting fix based on whitelisting acceptable parameter names closed the vulnerability only partially.
Cisco
Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products
vendor_cisco·2014-07-09·CVSS 5.0
CVE-2010-1870 [MEDIUM] CWE-94 Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products
Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products
Multiple Cisco products include an implementation of the Apache Struts 2
component that is affected by a remote command execution vulnerability identified by Apache with Common Vulnerabilities and Exposures ID CVE-2010-1870.
The vulnerability is due to insufficient sanitization on user-supplied input in the XWorks component of the affected software. The component uses the ParameterInterceptors directive to parse the Object-Graph Navigation Language (OGNL) expressions that are implemented via a whitelist feature. An attacker could exploit this vulnerability by sending crafted requests
that contain OGNL expressions to an affected system. An
exploit could allow the attacker to execute arbitrary code on the targeted
Red Hat
Struts2/WebWorks/XWork: ParameterInterceptors bypass allows remote command execution
vendor_redhat·2010-07-25·CVSS 5.0
CVE-2010-1870 [MEDIUM] Struts2/WebWorks/XWork: ParameterInterceptors bypass allows remote command execution
Struts2/WebWorks/XWork: ParameterInterceptors bypass allows remote command execution
The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the "#" protection mechanism in ParameterInterceptors via the (1) #context, (2) #_memberAccess, (3) #root, (4) #this, (5) #_typeResolver, (6) #_classResolver, (7) #_traceEvaluations, (8) #_lastEvaluation, (9) #_keepLastEvaluation, and possibly other OGNL context variables, a different vulnerability than CVE-2008-6504.
Statement: A previous statement by Red Hat related to this CVE, prior to August 2019, said that Apache Struts 2 is not inc
Cisco
Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products
vendor_cisco
CVE-2010-1870 Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products
CVE-2010-1870: Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products
Multiple Cisco products include an implementation of the Apache Struts 2 component that is affected by a remote command execution vulnerability identified by Apache with Common Vulnerabilities and Exposures ID CVE-2010-1870. The vulnerability is due to insufficient sanitization on user-supplied input in the XWorks component of the affected software. The component uses the ParameterInterceptors directive to parse the Object-Graph Navigation Language (OGNL) expressions that are implemented via a whitelist feature. An attacker could exploit this vulnerability by sending crafted requests that contain OGNL expressions to an affected system. An exploit could allow the attacker to execute arbitrary code on t
No detection rules found.
Exploit-DB
Apache Struts < 2.2.0 - Remote Command Execution (Metasploit)
exploitdb·2011-08-19
CVE-2010-1870 Apache Struts < 2.2.0 - Remote Command Execution (Metasploit)
Apache Struts 'Apache Struts %q{
This module exploits a remote command execution vulnerability in
Apache Struts versions
[
'bannedit', # metasploit module
'Meder Kydyraliev', # original public exploit
],
'License' => MSF_LICENSE,
'Version' => '$Revision: 13586 $',
'References' =>
[
[ 'CVE', '2010-1870'],
[ 'OSVDB', '66280'],
[ 'URL', 'http://www.exploit-db.com/exploits/14360/' ],
],
'Platform' => [ 'win', 'linux'],
'Privileged' => true,
'Targets' =>
[
['Windows Universal',
{
'Arch' => ARCH_X86,
'Platform' => 'win'
}
],
['Linux Universal',
{
'Arch' => ARCH_X86,
'Platform' => 'linux'
}
],
],
'DisclosureDate' => 'Jul 13 2010',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(8080),
OptString.new('URI', [ true, 'The path to a struts application action ie. /struts2-blank-2.0.9/example/Hel
Exploit-DB
Struts2/XWork < 2.2.0 - Remote Command Execution
exploitdb·2010-07-14·CVSS 5.0
CVE-2010-1870 [MEDIUM] Struts2/XWork < 2.2.0 - Remote Command Execution
Struts2/XWork < 2.2.0 - Remote Command Execution
---
Friday, July 9, 2010
CVE-2010-1870: Struts2/XWork remote command execution
Update Tue Jul 13 2010: Added proof of concept
Apache Struts team has announced uploaded but has not released, due to an unreasonably prolonged voting process, the 2.2.0 release of the Struts2 web framework which fixes vulnerability that I've reported to them on May 31st 2010. Apache Struts team is ridiculously slow in releasing the fixed version and all of my attempts to expedite the process have failed.
Introduction
Struts2 is Struts + WebWork. WebWork in turn uses XWork to invoke actions and call appropriate setters/getters based on HTTP parameter names, which is achieved by treating each HTTP parameter name as an OGNL statement. OGNL (Object Graph Navigati
Nuclei
ListSERV Maestro <= 9.0-8 RCE
nuclei·CVSS 5.0
CVE-2010-1870 [MEDIUM] ListSERV Maestro <= 9.0-8 RCE
ListSERV Maestro <= 9.0-8 RCE
A struts-based OGNL remote code execution vulnerability exists in ListSERV Maestro before and including version 9.0-8.
Template:
id: CVE-2010-1870
info:
name: ListSERV Maestro <= 9.0-8 RCE
author: b0yd
severity: medium
description: A struts-based OGNL remote code execution vulnerability exists in ListSERV Maestro before and including version 9.0-8.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
remediation: |
Upgrade to a patched version of ListSERV Maestro that is not affected by this vulnerability.
reference:
- https://www.securifera.com/advisories/sec-2020-0001/
- https://packetstormsecurity.com/files/159643/listservmaestro-exec.txt
- https://www.exploit-db.com/exploits/1
Metasploit
Apache Struts Remote Command Execution
metasploit
Apache Struts Remote Command Execution
Apache Struts Remote Command Execution
This module exploits a remote command execution vulnerability in Apache Struts versions < 2.2.0. This issue is caused by a failure to properly handle unicode characters in OGNL extensive expressions passed to the web server. By sending a specially crafted request to the Struts application it is possible to bypass the "#" restriction on ParameterInterceptors by using OGNL context variables. Bypassing this restriction allows for the execution of arbitrary Java code.
http://blog.o0o.nu/2010/07/cve-2010-1870-struts2xwork-remote.htmlhttp://confluence.atlassian.com/display/FISHEYE/FishEye+Security+Advisory+2010-06-16http://packetstormsecurity.com/files/159643/LISTSERV-Maestro-9.0-8-Remote-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2010/Jul/183http://seclists.org/fulldisclosure/2020/Oct/23http://secunia.com/advisories/59110http://securityreason.com/securityalert/8345http://struts.apache.org/2.2.1/docs/s2-005.htmlhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140709-struts2http://www.exploit-db.com/exploits/14360http://www.osvdb.org/66280http://www.securityfocus.com/bid/41592http://blog.o0o.nu/2010/07/cve-2010-1870-struts2xwork-remote.htmlhttp://confluence.atlassian.com/display/FISHEYE/FishEye+Security+Advisory+2010-06-16http://packetstormsecurity.com/files/159643/LISTSERV-Maestro-9.0-8-Remote-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2010/Jul/183http://seclists.org/fulldisclosure/2020/Oct/23http://secunia.com/advisories/59110http://securityreason.com/securityalert/8345http://struts.apache.org/2.2.1/docs/s2-005.htmlhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140709-struts2http://www.exploit-db.com/exploits/14360http://www.osvdb.org/66280http://www.securityfocus.com/bid/41592
2010-08-17
Published