Red Hat Bugzilla – Bug 1123726
CVE-2008-6504 Apache Struts2/WebWorks/XWork: ParameterInterceptors bypass allows OGNL statement execution
Last modified: 2015-02-15 16:54:57 EST
It was discovered that ParametersInterceptor in OpenSymphony XWork 2.0.x before 2.0.6 and 2.1.x before 2.1.2, as used in Apache Struts and other products, does not properly restrict # (pound sign) references to context objects, which allows remote attackers to execute Object-Graph Navigation Language (OGNL) statements and modify server-side context objects, as demonstrated by use of a \u0023 representation for the # character. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-6504 http://struts.apache.org/release/2.2.x/docs/s2-003.html https://github.com/victims/victims-cve-db/blob/master/database/java/2008/6504.yaml
for now i not interested to upgrade struts to 2.x series regards
Statement: The issue does not affect any Red Hat products as no products ship Struts2/XWork binaries.