CVE-2007-4556 – opensymphony:xwork

Package

Manager: maven
Name: opensymphony:xwork
Vulnerable Version: >=0 <1.2.3 || >=2.0.0 <2.0.4

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.02359 pctl0.84329

Details

OpenSymphony XWork vulnerable to improper input validation XWork is an command-pattern framework that is used to power WebWork as well as other applications. Struts support in OpenSymphony XWork before 1.2.3, and 2.x before 2.0.4, as used in WebWork and Apache Struts, recursively evaluates all input as an Object-Graph Navigation Language (OGNL) expression when altSyntax is enabled, which allows remote attackers to cause a denial of service (infinite loop) or execute arbitrary code via form input beginning with a "%{" sequence and ending with a "}" character. Note: Version 2.0.4 marks the change from `opensymphony:xwork` to `com.opensymphony:xwork`.

Metadata

Created: 2022-05-01T18:24:47Z
Modified: 2023-09-11T20:52:36Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-h7mf-qrm9-2848/GHSA-h7mf-qrm9-2848.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-h7mf-qrm9-2848
Finding: F184
Auto approve: 1