Apache Struts Remote Code Execution Vulnerability Affecting Cisco Products: August 2018
A vulnerability in Apache Struts could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.
The vulnerability exists because the affected software insufficiently validates user-supplied input, allowing the use of results with no namespace value and the use of url tags with no value or action. In cases where upper actions or configurations also have no namespace or a wildcard namespace, an attacker could exploit this vulnerability by sending a request that submits malicious input to the affected application for processing. If successful, the attacker could execute arbitrary code in the security context of the affected application on the targeted system.
Security Impact Rating: Critical
CVE: CVE-2018-11776
from Cisco Security Advisory https://ift.tt/2LkILFq
The vulnerability exists because the affected software insufficiently validates user-supplied input, allowing the use of results with no namespace value and the use of url tags with no value or action. In cases where upper actions or configurations also have no namespace or a wildcard namespace, an attacker could exploit this vulnerability by sending a request that submits malicious input to the affected application for processing. If successful, the attacker could execute arbitrary code in the security context of the affected application on the targeted system.
This advisory will be updated as additional information becomes available.
This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180823-apache-struts
Security Impact Rating: Critical
CVE: CVE-2018-11776
from Cisco Security Advisory https://ift.tt/2LkILFq