[ https://issues.apache.org/jira/browse/WW-4063?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13667774#comment-13667774 ]
Hudson commented on WW-4063: ---------------------------- Integrated in Struts2-JDK6 #716 (See [https://builds.apache.org/job/Struts2-JDK6/716/]) Merged from STRUTS_2_3_14_X Disable eval expressions [from revision 1469249] WW-4063 Improved security by making static method attribute immutable [from revision 1486054] WW-4063 Skipping unneeded translation for included parameters [from revision 1486076] WW-4063 Testcase modification after refactoring [from revision 1486164] WW-4063 Testcases for double parameter evaluation problems [from revision 1486576] (Revision 1486633) Result = SUCCESS rgielen : Files : * /struts/struts2/trunk * /struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/util/DefaultUrlHelper.java * /struts/struts2/trunk/core/src/test/java/org/apache/struts2/views/jsp/URLTagTest.java * /struts/struts2/trunk/core/src/test/java/org/apache/struts2/views/util/DefaultUrlHelperTest.java * /struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/SecurityMemberAccess.java > Remote code execution in Struts2 via expression language execution > ------------------------------------------------------------------ > > Key: WW-4063 > URL: https://issues.apache.org/jira/browse/WW-4063 > Project: Struts 2 > Issue Type: Bug > Components: Expression Language > Affects Versions: 2.3.14.1 > Environment: Mac OS X 10.7 > Reporter: Coverity Security Research Laboratory > Assignee: Rene Gielen > Labels: security > Fix For: 2.3.14.2 > > > Struts2 under certain configurations is vulnerable to remote code execution > via the interpretation of EL and OGNL. Since this is I'm assuming a publicly > accessible issue, please let me know if I should add a reproducer to this > issue or if I should communicate this reproducer though another mechanism. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira