On July 7, 2017, Apache Struts released the latest security bulletin and announced the CVE-2017-9791 vulnerability. This vulnerability is detected in the Action Message class of the Showcase plug-in in Struts2 and Struts1. An attacker can construct untrusted input to implement remote command attacks, which brings security risks.
See the following for more information about the vulnerability.
Struts (S2-048) remote command execution vulnerability
In the Showcase ActionMessage class, an attacker can construct untrusted input to implement remote command attacks, which brings security risks.
Condition and method of exploitation
Struts 2.3.x Showcase application
Check the Struts framework version.
How to fix or mitigate
Disable, close, or delete the
\struts-2.3.x\apps\struts2-showcase.warpackage as required.
Upgrade Struts to the latest version 18.104.22.168.
Use Alibaba Cloud Security WAF for defense.