The Apache Struts group has released version 220.127.116.11 of Apache Struts, the free open-source framework designed for the development of Java web applications.
The new version has been released to address a broken access control vulnerability in Struts 2.
“The Struts 2 action mapping mechanism supports the special parameter prefix action: which is intended to help with attaching navigational information to buttons within forms. In Struts 2 before 18.104.22.168, under certain conditions this can be used to bypass security constraints,” the security bulletin reads.
The action mapping mechanism has been changed to prevent an attacker from bypassing security constraints. Additional details on the vulnerability will be made available only after users patch their installations.
The Apache Struts group advises customers to update their existing Struts 2 installations as soon as possible.