VYPR
← All advisories
Critical severity9.8NVD Advisory· Published Sep 20, 2017· Updated May 13, 2026

CVE-2017-12611

CVE-2017-12611

Description

In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.struts:struts2-coreMaven
>= 2.0.1, < 2.3.342.3.34
org.apache.struts:struts2-coreMaven
>= 2.5.0, < 2.5.112.5.11

Affected products

1
  • Apache Software Foundation/Apache Strutsv5
    Range: 2.0.0 - 2.3.33

Patches

2
2306f5f7fad7

Uses better class resolver logic

https://github.com/apache/strutsLukasz LenartAug 26, 2017via ghsa
commit
1 file changed · +4 0
  • core/src/main/java/org/apache/struts2/views/freemarker/FreemarkerManager.java+4 0 modified
    @@ -34,6 +34,7 @@
 import freemarker.cache.MultiTemplateLoader;
 import freemarker.cache.TemplateLoader;
 import freemarker.cache.WebappTemplateLoader;
+import freemarker.core.TemplateClassResolver;
 import freemarker.ext.jsp.TaglibFactory;
 import freemarker.ext.servlet.HttpRequestHashModel;
 import freemarker.ext.servlet.HttpRequestParametersHashModel;
@@ -344,6 +345,9 @@ protected Configuration createConfiguration(ServletContext servletContext) throw
         configuration.setLocalizedLookup(false);
         configuration.setWhitespaceStripping(true);
 
+        LOG.debug("Sets NewBuiltinClassResolver to TemplateClassResolver.SAFER_RESOLVER");
+        configuration.setNewBuiltinClassResolver(TemplateClassResolver.SAFER_RESOLVER);
+
         return configuration;
     }
637ad1c37072

Narrows class resolver

https://github.com/apache/strutsLukasz LenartFeb 2, 2017via ghsa
commit
1 file changed · +8 0
  • core/src/main/java/org/apache/struts2/views/freemarker/FreemarkerManager.java+8 0 modified
    @@ -28,6 +28,7 @@
 import com.opensymphony.xwork2.util.ClassLoaderUtil;
 import com.opensymphony.xwork2.util.ValueStack;
 import freemarker.cache.*;
+import freemarker.core.TemplateClassResolver;
 import freemarker.ext.jsp.TaglibFactory;
 import freemarker.ext.servlet.HttpRequestHashModel;
 import freemarker.ext.servlet.HttpRequestParametersHashModel;
@@ -318,16 +319,23 @@ protected Configuration createConfiguration(ServletContext servletContext) throw
         configuration.setTemplateExceptionHandler(TemplateExceptionHandler.HTML_DEBUG_HANDLER);
 
         if (mruMaxStrongSize > 0) {
+            LOG.debug("Sets Configuration.CACHE_STORAGE_KEY to strong:{}", mruMaxStrongSize);
             configuration.setSetting(Configuration.CACHE_STORAGE_KEY, "strong:" + mruMaxStrongSize);
         }
         if (templateUpdateDelay != null) {
+            LOG.debug("Sets Configuration.TEMPLATE_UPDATE_DELAY_KEY to {}", templateUpdateDelay);
             configuration.setSetting(Configuration.TEMPLATE_UPDATE_DELAY_KEY, templateUpdateDelay);
         }
         if (encoding != null) {
+            LOG.debug("Sets DefaultEncoding to {}", encoding);
             configuration.setDefaultEncoding(encoding);
         }
+        LOG.debug("Disabled localized lookups");
         configuration.setLocalizedLookup(false);
+        LOG.debug("Enabled whitespace stripping");
         configuration.setWhitespaceStripping(true);
+        LOG.debug("Sets NewBuiltinClassResolver to TemplateClassResolver.SAFER_RESOLVER");
+        configuration.setNewBuiltinClassResolver(TemplateClassResolver.SAFER_RESOLVER);
 
         return configuration;
     }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

10

News mentions

0

No linked articles in our index yet.