CVE-2011-2088: Exposure of Sensitive Information to an Unauthorized Actor

May 14, 2022 (updated August 17, 2023)

XWork 2.2.1 in Apache Struts 2.2.1, and OpenSymphony XWork in OpenSymphony WebWork, allows remote attackers to obtain potentially sensitive information about internal Java class paths via vectors involving an s:submit element and a nonexistent method, a different vulnerability than CVE-2011-1772.3.

References

secureappdev.blogspot.com/2011/05/apache-struts-2-xwork-webwork-reflected.html
github.com/advisories/GHSA-9ccm-g362-2r35
github.com/apache/struts/commit/885ab3459e146ff830d1f7257f809f4a3dd4493a
issues.apache.org/jira/browse/WW-3579
nvd.nist.gov/vuln/detail/CVE-2011-2088
web.archive.org/web/20110726113612/http://www.ventuneac.net/security-advisories/MVSA-11-006
web.archive.org/web/20201207174744/http://www.securityfocus.com/archive/1/518066/100/0/threaded

Code Behaviors & Features

Detect and mitigate CVE-2011-2088 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →