[ https://issues.apache.org/struts/browse/WW-2692?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=44682#action_44682 ]
Rene Gielen commented on WW-2692: --------------------------------- Just to be sure we are all talking about the same thing / to clarify for others: Struts 2.0.11.2 comes with the already released XWork 2.0.4. The current SVN version will be released as XWork 2.0.5, which will be included with Struts 2.0.11.3 / 2.0.12. Upcoming XWork 2.0.5 contains the fixes needed to pass all the said tests, XWork 2.0.4 does not.. > XWork ParameterInterceptors bypass (OGNL statement execution) (XW-641) > ---------------------------------------------------------------------- > > Key: WW-2692 > URL: https://issues.apache.org/struts/browse/WW-2692 > Project: Struts 2 > Issue Type: Bug > Affects Versions: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, > 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.11.1, 2.1.0, 2.1.1, 2.1.2 > Reporter: Rene Gielen > Assignee: Rene Gielen > Priority: Critical > Fix For: 2.0.11.2, 2.1.3 > > > Meder Kydyraliev of the Google Security Team reported a vulnerability to the > XWork team that allows attackers to bypass security measures implemented in > ParametersInterceptor to inject OGNL expressions. > Since XWork is the foundation of Struts2, this must be considered a Struts2 > vulnerability as well. > For a full description, see > http://jira.opensymphony.com/secure/ViewIssue.jspa?key=XW-641 -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.