Home

CVE-2010-1870

Description

The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the # protection mechanism in ParameterInterceptors via the (1) #context, (2) #_memberAccess, (3) #root, (4) #this, (5) #_typeResolver, (6) #_classResolver, (7) #_traceEvaluations, (8) #_lastEvaluation, (9) #_keepLastEvaluation, and possibly other OGNL context variables, a different vulnerability than CVE-2008-6504.

Risk Information

Base Score
9.8
MODERATE
Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
92.419

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2010-1870 are fixed in Apache-struts2-core 2.2.1Windows
Vulnerabilities CVE-2010-1870 are fixed in Apache-structs2-core for Linux 2.2.1Linux
Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products For Cisco Unified Contact Center EnterpriseNCM
Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products For Cisco Identity Services EngineNCM
Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products For Cisco Unified Communications Manager (CallManager)NCM
Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products For Cisco MXE 3000 Series (Media Experience Engines)NCM
CVE-2010-1870NCM

Patch Details

Click to see the patches provided by ManageEngine for this CVE
Patch IDPatch Description
PATCH-1705943Security Update for Cisco Unified Contact Center Enterprise 11.6(1)SR0(0)
PATCH-1706002Security Update for Cisco Identity Services Engine 2.0(0.905)
PATCH-1706016Security Update for Cisco Unified Communications Manager (CallManager) CUP.11.5(1.12900.25)
PATCH-1705957Security Update for Cisco MXE 3000 Series (Media Experience Engines) 3.5.2

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234