sadf • 10 years ago
Is there some way to get confirmation from the Struts2 team. So far the only information about this is your blog and the foreign language site you link to. Is there some struts announcement coming?
Alvaro Muñoz • 10 years ago
Thats because the bypass was disclosed today but I got in contact with
Struts2 team and they just released an official announcement:
http://struts.apache.org/an...
Bharath Srinivasan • 6 years ago
Helpful Thanks !
Anwar • 9 years ago
Hi, how can we exploit this vulnerability to cross check if it is fixed or not ?...... Anwar
Alex • 10 years ago
Is this also for JBoss?
Alvaro Muñoz • 10 years ago
I havent verified the JBoss classloader allow property manipulation to run arbitrary commands but Struts 2.3.16.2 has been released to fix S2-020 and S2-021 (same thing for cookies) so I strongly recommend you to update your Struts 2 even if running it on top of JBoss
Thats because the bypass was disclosed today but I got in contact with Struts2 team and they just released an official announcement:
http://struts.apache.org/an...