CVE-2007-4556

描述

XWork is an command-pattern framework that is used to power WebWork as well as other applications. Struts support in OpenSymphony XWork before 1.2.3, and 2.x before 2.0.4, as used in WebWork and Apache Struts, recursively evaluates all input as an Object-Graph Navigation Language (OGNL) expression when altSyntax is enabled, which allows remote attackers to cause a denial of service (infinite loop) or execute arbitrary code via form input beginning with a "%{" sequence and ending with a "}" character. Note: Version 2.0.4 marks the change from `opensymphony:xwork` to `com.opensymphony:xwork`.

如何修補 CVE-2007-4556

要修補 CVE-2007-4556,請將受影響套件升級到下列已修補版本。

• —升級至 1.2.3 或更新版本

CVE-2007-4556 正在被利用嗎?

低 — EPSS 為 2.1%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• from 0, < 1.2.3

參考連結(2)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2007-4556
• WEBstruts.apache.org/2.x/docs/s2-001.html