SV.STRUTS.VER

Struts version: upgrade

The SV.STRUTS.VER checker verifies that a project uses a Struts version that doesn't have a possible Remote Code Execution vulnerability.

Vulnerability and risk

Apache Struts versions 2.3.x (earlier than 2.3.32) and 2.5.x (earlier than 2.5.10.1) implement incorrect exception handling and error-message generation during file-upload attempts. This vulnerability allows remote attackers to execute arbitrary commands.

Mitigation and prevention

Update to a newer version of Struts, at least version 2.5.12.

Vulnerable code example

1
2
3
4
5
6
7
 import com.opensymphony.xwork2.Action;
 public class LoginAction implements Action {
    @Override
    public String execute() {
       return "SUCCESS";
    }
 }

Klocwork reports a SV.STRUTS.VER defect on line 3, indicating the project uses a vulnerable Apache Structs version. Klocwork reports an error if the project uses an Apache Struts versions earlier than 2.5.10.1.

Fixed code example

1
2
3
4
5
6
7
 import com.opensymphony.xwork2.Action;
 public class LoginAction implements Action {
     @Override
     public String execute() {
         return "SUCCESS";
     }
  }

After updating to a compliant version of Apache Struts (at least version 2.5.12) Klocwork no longer reports a defect on line 3.

External guidance

• CWE-1035: Usage of vulnerable Apache Struts version
• OWASP A9:2017 Using Components with Known Vulnerabilities
• OWASP A6:2021 Vulnerable and Outdated Components