Skip to content

[GHSA-8m5q-crqq-6pmf] Unrestricted Upload of File with Dangerous Type in Apache Struts2#7825

Closed
levpachmanov wants to merge 1 commit into
levpachmanov/advisory-improvement-7825from
levpachmanov-GHSA-8m5q-crqq-6pmf
Closed

[GHSA-8m5q-crqq-6pmf] Unrestricted Upload of File with Dangerous Type in Apache Struts2#7825
levpachmanov wants to merge 1 commit into
levpachmanov/advisory-improvement-7825from
levpachmanov-GHSA-8m5q-crqq-6pmf

Conversation

@levpachmanov

Copy link
Copy Markdown

Updates

  • Affected products

Comments
CVE-2012-1592not applicable. The S2-008/-009/-016-era OGNL parameter-injection family was fixed in the 2.3.x line by 2.3.4.1 / 2.3.16.1 (2012–2013); the 2.5.x branch (2016) inherits all of those fixes. STRUTS_2_5_10 ships the framework-level mitigations the CVE family relies on: struts.excludedClasses in struts-default.xml covers java.lang.Runtime, java.lang.ClassLoader, ognl.*, SecurityMemberAccess, ActionContext; struts.excludedPackageNames covers java.lang., ognl, javax, freemarker.core, freemarker.template; DefaultExcludedPatternsChecker.EXCLUDED_PATTERNS blocks dojo|struts|session|request|response|application|servlet*|parameters|context|_memberAccess and .*class.* parameter names. SecurityMemberAccessTest covers the class/package/static-access exclusion paths.

@github-actions github-actions Bot changed the base branch from main to levpachmanov/advisory-improvement-7825 May 28, 2026 20:58
@advisory-database advisory-database Bot closed this Jul 1, 2026
@taladrane

Copy link
Copy Markdown
Collaborator

hi @levpachmanov 👋 unfortunately given the age of this we can't easily verify the information, so I recommend reaching out to the assigning CNA to get these details updated in the upstream CVE record: https://www.cve.org/CVERecord?id=CVE-2012-1592 & https://www.cve.org/PartnerInformation/ListofPartners/partner/redhat

Thank you for your contribution!

@github-actions github-actions Bot deleted the levpachmanov-GHSA-8m5q-crqq-6pmf branch July 1, 2026 17:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants