SV.STRUTS.VER
Struts version: upgrade
The SV.STRUTS.VER checker verifies that a project uses a Struts version that doesn't have a possible Remote Code Execution vulnerability.
Vulnerability and risk
Apache Struts versions 2.3.x (earlier than 2.3.32) and 2.5.x (earlier than 2.5.10.1) implement incorrect exception handling and error-message generation during file-upload attempts. This vulnerability allows remote attackers to execute arbitrary commands.
Mitigation and prevention
Update to a newer version of Struts, at least version 2.5.12.
Vulnerable code example
1 import com.opensymphony.xwork2.Action;
2 public class LoginAction implements Action {
3 @Override
4 public String execute() {
5 return "SUCCESS";
6 }
7 }
Klocwork reports a SV.STRUTS.VER defect on line 3, indicating the project uses a vulnerable Apache Structs version. Klocwork reports an error if the project uses an Apache Struts versions earlier than 2.5.10.1.
Fixed code example
1 import com.opensymphony.xwork2.Action;
2 public class LoginAction implements Action {
3 @Override
4 public String execute() {
5 return "SUCCESS";
6 }
7 }
After updating to a compliant version of Apache Struts (at least version 2.5.12) Klocwork no longer reports a defect on line 3.
