Moderate severityNVD Advisory· Published Aug 28, 2007· Updated Apr 23, 2026
CVE-2007-4556
CVE-2007-4556
Description
Struts support in OpenSymphony XWork before 1.2.3, and 2.x before 2.0.4, as used in WebWork and Apache Struts, recursively evaluates all input as an Object-Graph Navigation Language (OGNL) expression when altSyntax is enabled, which allows remote attackers to cause a denial of service (infinite loop) or execute arbitrary code via form input beginning with a "%{" sequence and ending with a "}" character.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
opensymphony:xworkMaven | < 1.2.3 | 1.2.3 |
opensymphony:xworkMaven | >= 2.0.0, < 2.0.4 | 2.0.4 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
16- forums.opensymphony.com/ann.jspanvdPatchVendor Advisory
- struts.apache.org/2.x/docs/s2-001.htmlnvdPatchThird Party AdvisoryWEB
- issues.apache.org/struts/browse/WW-2030nvdThird Party Advisory
- jira.opensymphony.com/browse/XW-544nvdVendor Advisory
- jira.opensymphony.com/secure/ReleaseNote.jspanvdVendor Advisory
- jira.opensymphony.com/secure/ReleaseNote.jspanvdVendor Advisory
- secunia.com/advisories/26681nvdThird Party Advisory
- secunia.com/advisories/26693nvdThird Party Advisory
- secunia.com/advisories/26694nvdThird Party Advisory
- wiki.opensymphony.com/display/WW/1.2.3+Press+ReleasenvdVendor Advisory
- www.securityfocus.com/bid/25524nvdThird Party AdvisoryVDB Entry
- www.vupen.com/english/advisories/2007/3041nvdThird Party Advisory
- www.vupen.com/english/advisories/2007/3042nvdThird Party Advisory
- github.com/advisories/GHSA-h7mf-qrm9-2848ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2007-4556ghsaADVISORY
- osvdb.org/37072nvdBroken Link
News mentions
0No linked articles in our index yet.