First published: Tue Aug 17 2010(Updated: )
OGNL provides, among other features, extensive expression evaluation capabilities. This vulnerability allows a malicious user to bypass the '#'-usage protection built into the ParametersInterceptor, thus being able to manipulate server side context objects. This behavior was already addressed in [S2-003](https://cwiki.apache.org/confluence/display/WW/S2-003), but it turned out that the resulting fix based on whitelisting acceptable parameter names closed the vulnerability only partially.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
maven/org.apache.struts:struts2-core | <2.2.1 | 2.2.1 |
Apache Struts 2 | =2.0.0 | |
Apache Struts 2 | =2.0.1 | |
Apache Struts 2 | =2.0.2 | |
Apache Struts 2 | =2.0.3 | |
Apache Struts 2 | =2.0.4 | |
Apache Struts 2 | =2.0.5 | |
Apache Struts 2 | =2.0.6 | |
Apache Struts 2 | =2.0.7 | |
Apache Struts 2 | =2.0.8 | |
Apache Struts 2 | =2.0.9 | |
Apache Struts 2 | =2.0.10 | |
Apache Struts 2 | =2.0.11 | |
Apache Struts 2 | =2.0.11.1 | |
Apache Struts 2 | =2.0.11.2 | |
Apache Struts 2 | =2.0.12 | |
Apache Struts 2 | =2.0.13 | |
Apache Struts 2 | =2.0.14 | |
Apache Struts 2 | =2.1.0 | |
Apache Struts 2 | =2.1.1 | |
Apache Struts 2 | =2.1.2 | |
Apache Struts 2 | =2.1.3 | |
Apache Struts 2 | =2.1.4 | |
Apache Struts 2 | =2.1.5 | |
Apache Struts 2 | =2.1.6 | |
Apache Struts 2 | =2.1.8 | |
Apache Struts 2 | =2.1.8.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2010-1870 is considered a high severity vulnerability due to its potential for server-side context object manipulation.
To resolve CVE-2010-1870, upgrade to Apache Struts version 2.2.1 or later.
The affected versions of Apache Struts include 2.0.0, 2.0.1, 2.0.2, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.0.13, 2.0.14, 2.0.11.1, 2.0.11.2, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.8, and 2.1.8.1.
Any application that uses the affected versions of Apache Struts may be vulnerable to CVE-2010-1870.
The main impact of CVE-2010-1870 is the ability for an attacker to manipulate server-side objects, potentially leading to further exploitation or unauthorized access.