cbcvebase.
CVE-2010-1870
published 2010-08-17

CVE-2010-1870: The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other…

PriorityP358medium5CVSS 2.0
AVNACLAuNCNIPAN
EXPLOIT
EPSS
91.08%
99.8th percentile
The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the "#" protection mechanism in ParameterInterceptors via the (1) #context, (2) #_memberAccess, (3) #root, (4) #this, (5) #_typeResolver, (6) #_classResolver, (7) #_traceEvaluations, (8) #_lastEvaluation, (9) #_keepLastEvaluation, and possibly other OGNL context variables, a different vulnerability than CVE-2008-6504.

Affected

27 ranges· showing 25
VendorProductVersion rangeFixed in
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts

Detection & IOCsextracted from sources · hover to see the quote

  • Detect exploitation attempts by looking for URL-encoded unicode bypass sequences (\u0023 for '#', \u003d for '=') combined with OGNL context variable names such as _memberAccess, xwork.MethodAccessor.denyMethodExecution, and @java.lang.Runtime@getRuntime in HTTP GET parameters.
  • Flag HTTP requests containing the parameter patterns ('\u0023_memberAccess') or ('\u0023context') as these are the unicode-encoded OGNL '#' bypass sequences used to exploit CVE-2010-1870.
  • Monitor for HTTP requests to Struts .action endpoints containing the characters \u0023 (unicode for #), \u003d (unicode for =), and @java.lang.Runtime@getRuntime in parameter names or values.
  • Shodan/FOFA fingerprinting: identify exposed Struts instances via HTML body containing 'struts problem report', page title 'struts2 showcase', or HTML containing 'apache struts'.
  • For ListSERV Maestro specifically, scan HTTP responses at /lui/ and /hub/ for version strings matching 'LISTSERV Maestro 9.0-[0-8]' or 'Administration Hub 9.0-[0-8]' to identify vulnerable instances.
  • ·ParametersInterceptor is enabled by default in struts-default.xml, meaning all standard Struts 2 deployments are exposed unless explicitly patched or the interceptor is reconfigured.
  • ·As a temporary mitigation where upgrade is not possible, use ParameterInterceptor's 'excludeParams' to whitelist only required characters (A-z0-9_.'"[]) or blacklist the characters \()@ required for exploitation.
  • ·The fix in Struts 2.2.0 whitelists a set of characters that excludes those required to exploit this vulnerability; deployments on Struts 2.0.0 through 2.1.8.1 remain vulnerable.

CVSS provenance

nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
vendor_cisco5.0MEDIUM
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.