Hello all -
The Qualys WAS scanning engine has been updated to include a new detection for an Apache Struts remote code execution (RCE) vulnerability. This is part of an ongoing effort to provide comprehensive support for known Struts vulnerabilities. The CVE ID is CVE-2011-3923. This flaw exists in "ParametersInterceptor" and allows an attacker to put arbitrary OGNL statements into any String variable exposed by an action and have it evaluated as an OGNL expression. More information is available in Apache Struts Security Bulletin S2-009.
QID 150193 will be reported if this vulnerability is detected during a scan.
Vulnerable versions include Struts 2.0.0 to Struts 220.127.116.11. Upgrade to the latest version of the Apache Struts 2 framework to remediate this vulnerability.