Red Hat Bugzilla – Bug 723829
CVE-2011-2088 struts: Allows remote attackers to obtain potentially sensitive information via vectors involving an s:submit element
Last modified: 2011-07-25 04:51:27 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-2088 to the following vulnerability: XWork 2.2.1 in Apache Struts 2.2.1, and OpenSymphony XWork in OpenSymphony WebWork, allows remote attackers to obtain potentially sensitive information about internal Java class paths via vectors involving an s:submit element and a nonexistent method, a different vulnerability than CVE-2011-1772.3. References: [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2088 [2] http://www.securityfocus.com/archive/1/archive/1/518066/100/0/threaded [3] http://secureappdev.blogspot.com/2011/05/Struts_2_XWork_WebWork_XSS_in_error_pages.html [4] http://secureappdev.blogspot.com/2011/05/apache-struts-2-xwork-webwork-reflected.html [5] http://www.ventuneac.net/security-advisories/MVSA-11-006 [6] https://issues.apache.org/jira/browse/WW-3579
Based on: [7] https://bugzilla.novell.com/show_bug.cgi?id=693976#c3 it's more than likely this flaw would not affect any of our Struts-1.x package version, shipped across different supported products. But we need to double-check, confirm and note this.
This issue only affects struts 2.x. The release notes for struts 2.2.3 show it fixed only in the 2.x stream: http://struts.apache.org/2.2.3/docs/version-notes-223.html Statement: Not vulnerable. This issue did not affect the versions of struts as shipped with Red Hat Enterprise Linux 5, Red Hat Network Satellite 5, JBoss Enterprise Web Server 1, JBoss Enterprise Application Platform 4, JBoss Enterprise Portal Platform 4 and JBoss Operations Network 2.