CVE-2010-1870: XWork ParameterInterceptors bypass allows remote command execution
(updated )
The OGNL extensive expression evaluation capability in this package as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive allowlist, which allows remote attackers to modify server-side context objects and bypass the “#” protection mechanism in ParameterInterceptors via the #context
, #_memberAccess
, #root
, #this
, #_typeResolver
, #_classResolver
, #_traceEvaluations
, #_lastEvaluation
, #_keepLastEvaluation
, and possibly other OGNL context variables, a different vulnerability than CVE-2008-6504.
References
Detect and mitigate CVE-2010-1870 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →