CVE-2015-5209 — Special top object can be used to access Struts' internals

Description

ValueStack defines special top object which represents root of execution context. It can be used to manipulate Struts' internals or can be used to affect container's settings. Applying better regex which includes pattern to exclude request parameters trying to use top object. This issue was patched in Struts 2.3.24.1.

How to fix CVE-2015-5209

To remediate CVE-2015-5209, upgrade the affected package to a fixed version below.

—upgrade to 2.3.24.1 or later

Is CVE-2015-5209 being exploited?

Low — EPSS is 1.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.3.24.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References (3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2015-5209
WEBsecurity.netapp.com/advisory/ntap-20180629-0002
WEBstruts.apache.org/docs/s2-026.html