Home > Security Bulletins > S2-019 |
Dynamic Method Invocation disabled by default
Who should read this | All Struts 2 developers and users |
---|---|
Impact of vulnerability | Dynamic method executions |
Maximum security rating | Important |
Recommendation | Developers should immediately upgrade to Struts 2.3.15.2 |
Affected Software | Struts 2.0.0 - Struts 2.3.15.1 |
Reporter | [email protected], HelloWorld security team |
CVE Identifier |
Dynamic Method Invocation is a mechanism known to impose possible security vulnerabilities, but until now it was enabled by default with warning that users should switch it off if possible.
In Struts 2.3.15.2 the Dynamic Method Invocation is to false by default. Another option is to set struts.enable.DynamicMethodInvocation
to false in struts.xml