These vulnerabilities allow an attacker to execute arbitrary code in the context of the service session, which could lead to a complete hijack of the affected system. These vulnerabilities could be exploited remotely by an attacker who can access the affected system through the network. These vulnerabilities could also be exploited by a malicious insider who has valid credentials to access the affected system. Exploiting these vulnerabilities could give an attacker access to sensitive information on the affected system, or to take complete control of the affected system. These vulnerabilities have been assigned Common Vulnerabilities and Exposures (CVE) numbers CVE-2022. Apache Struts is a software package that is commonly installed on web servers to provide a framework for building web applications. Apache Struts is open source software licensed under the Apache License and is commonly used in large enterprises, government agencies, and as a component of large Internet-based projects. A vulnerability has been discovered in Apache Struts version 1.3.x that could be exploited by an attacker to conduct remote code execution. This vulnerability has been assigned the CVE ID CVE-2022 and is documented in the references below. An attacker could exploit this vulnerability by sending a crafted web request to an affected Apache Struts application. An attacker would need to send the victim a specially crafted request sent from a web browser

Vulnerability overview

The vulnerability is a remote code execution vulnerability that allows the attacker to perform arbitrary code in the context of the Apache Struts application. The vulnerable software is Apache Struts version 1.3.x and all versions prior to 1.3.11 are also vulnerable, however an attacker would need to send special crafted web requests to exploit this vulnerability. The vulnerability has been assigned CVE identifier CVE-2022 and was discovered by Antoine Delignat-Lavaud of Proteasys.

Introduction

This vulnerability poses a risk for any website that uses Apache Struts versions 1.3.x or 2.5.x. There are no known exploits at this time, but the possibility of remote code execution cannot be ruled out in the future. It is important to note that an attacker must have valid credentials to exploit this vulnerability, as it requires a specially crafted web request sent from a web browser to the targeted Apache Struts application.

Vulnerability Summary:
CVE-2022-22035: Remote code execution vulnerability in Apache Struts with authentication bypass

Product Description

Apache Struts 1.3.x is vulnerable to remote code execution. An attacker could exploit this vulnerability by sending a crafted web request to an affected Apache Struts application.

Timeline

Published on: 10/11/2022 19:15:00 UTC
Last modified on: 10/11/2022 19:16:00 UTC

References