New Apache Struts Vulnerability Leaves Major Websites Exposed
Remember last year's Equifax hack? It involved an exploit of a vulnerability in Apache Struts. Yesterday, news came of a new vulnerability in the open source Web framework, one that some people are saying could be worse than the one that put everyone's credit card information into the hands of criminals.
The new vulnerability, designated CVE-2018-11776, was discovered by Man Yue Mo, a researcher on the Semmle security research team. This vulnerability is in the core functionality of Struts, allowing remote code execution (RCE) when the framework is configured in certain ways.
"The vulnerability doesn't exist because of configurations, but when the system is configured in a certain way, you can take advantage of vulnerabilities that exist in Struts," says Glen Pendley, deputy CTO at Tenable.