Attacker Value
(1 user assessed)
Very High
(1 user assessed)
User Interaction
Privileges Required
Attack Vector


Disclosure Date: August 22, 2018
Add any MITRE ATT&CK Tactics to the list below that apply to this CVE.


Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn’t have value and action set and in same time, its upper package have no or wildcard namespace.

Add Assessment

Technical Analysis

This vulnerability exists within the Apache Struts OGNL method dispatch routine. An attacker can submit a specially crafted HTTP request to a vulnerable web server. Specifically an attacker can taint the name parameter passed to OgnlUtil::getValue().

Exploitation of this vulnerability would lead to code execution within the context of the Java process powering the server. An indicator of compromise will be present in the logs at the DEBUG level. This IOC will look like a malformed value in the Executing action method = message.

The default configuration is not vulnerable. The alwaysSelectFullNamespace option must be enabled. This can be done by adding <constant name="struts.mapper.alwaysSelectFullNamespace" value="true" /> to the struts.xml configuration file.

General Information


  • Apache Software Foundation


  • Apache Struts
Technical Analysis