Date: Tue, 14 Jan 2014 17:18:24 -0600 (CST) From: security curmudgeon <jericho@...rition.org> To: Maksymilian A <max@...t.cx> cc: oss-security@...ts.openwall.com Subject: Re: CVE Request: Apache Archiva Remote Command Execution 0day : Please assign CVE for Apache Archiva 0day : : http://cxsecurity.com/issue/WLB-2014010087 >From that link: Apache Archiva use Apache Struts2: "In Struts 2 before 126.96.36.199 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code." References: http://struts.apache.org/release/2.3.x/docs/s2-016.html ^ All that is CVE-2013-2251.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ