[ https://issues.apache.org/struts/browse/WW-2692?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Rene Gielen resolved WW-2692. ----------------------------- Resolution: Fixed Fix Version/s: (was: 2.0.11.2) 2.0.13 Fixed by XWork 2.0.6 release. See XW-641 (http://jira.opensymphony.com/browse/XW-641) > XWork ParameterInterceptors bypass (OGNL statement execution) (XW-641) > ---------------------------------------------------------------------- > > Key: WW-2692 > URL: https://issues.apache.org/struts/browse/WW-2692 > Project: Struts 2 > Issue Type: Bug > Affects Versions: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, > 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.11.1, 2.1.0, 2.1.1, 2.1.2 > Reporter: Rene Gielen > Assignee: Rene Gielen > Priority: Critical > Fix For: 2.0.13, 2.1.3 > > > Meder Kydyraliev of the Google Security Team reported a vulnerability to the > XWork team that allows attackers to bypass security measures implemented in > ParametersInterceptor to inject OGNL expressions. > Since XWork is the foundation of Struts2, this must be considered a Struts2 > vulnerability as well. > For a full description, see > http://jira.opensymphony.com/secure/ViewIssue.jspa?key=XW-641 -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.