CVE-2008-6504: ParameterInterceptors bypass allows OGNL statement execution

March 23, 2009 (updated August 16, 2017)

ParametersInterceptor does not properly restrict # (pound sign) references to context objects, which allows remote attackers to execute Object-Graph Navigation Language (OGNL) statements and modify server-side context objects, as demonstrated by use of a \u0023 representation for the # character.

References

struts.apache.org/release/2.2.x/docs/s2-003.html
web.archive.org/web/20111023074138/http://jira.opensymphony.com/browse/XW-641
fisheye6.atlassian.com/cru/CR-9/
issues.apache.org/jira/browse/WW-2692

Detect and mitigate CVE-2008-6504 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →