Apache Struts ParameterInterceptor() Flaw Lets Remote Users Execute Arbitrary Commands
Struts 2.0.0 - Struts 220.127.116.11
A remote user can execute arbitrary code on the target system.
A vulnerability was reported in Apache Struts. The vulnerability allows a malicious user to bypass all the protections (regex pattern, deny method invocation) built into the ParametersInterceptor, thus being able to inject a malicious expression in any exposed string variable for further evaluation. The code will run with the privileges of the target web service.
A remote user can execute arbitrary commands on the target system.
Please follow recommendations outlined in S2-009 and upgrade to 18.104.22.168.