CVE-2007-4556
CVE-2007-4556
Vexday Risk Score
23Bajo
Decisión SSVC (CISA)
Attend
PoC disponible → seguir de cerca
Madurez del exploit
Exploit funcional
Exploit automatizable disponible (Nuclei/Metasploit).
CVSS —EPSS 25.7%KEV nãoPoC —Nuclei simMetasploit —Patch —
Ciclo de vida
28 ago 2007Publicada en NVD
Recomendación: Planificar corrección próxima — ya existe PoC pública.
Struts support in OpenSymphony XWork before 1.2.3, and 2.x before 2.0.4, as used in WebWork and Apache Struts, recursively evaluates all input as an Object-Graph Navigation Language (OGNL) expression when altSyntax is enabled, which allows remote attackers to cause a denial of service (infinite loop) or execute arbitrary code via form input beginning with a "%{" sequence and ending with a "}" character.
Productos afectados
n/a · n/aReferencias
http://forums.opensymphony.com/ann.jspa?annID=54http://issues.apache.org/struts/browse/WW-2030http://jira.opensymphony.com/browse/XW-544http://jira.opensymphony.com/secure/ReleaseNote.jspa?projectId=10050&styleName=Html&version=21701http://jira.opensymphony.com/secure/ReleaseNote.jspa?projectId=10050&styleName=Html&version=21706http://osvdb.org/37072http://secunia.com/advisories/26681http://secunia.com/advisories/26693http://secunia.com/advisories/26694http://struts.apache.org/2.x/docs/s2-001.htmlhttp://wiki.opensymphony.com/display/WW/1.2.3+Press+Releasehttp://www.securityfocus.com/bid/25524