Apache Struts is an open-source Model-View-Controller (MVC) framework for creating elegant, modern Java web applications.
A RCE attack is possible when developer is using wrong construction in Freemarker tags (CVE-2017-12611). Affected software:
Struts 2.0.1 – Struts 2.3.33, Struts 2.5 – Struts 2.5.10
QID detection logic (Authenticated):
Detection looks for “struts core” jar files in deployed web applications directories and lib folder of Tomcat server. Once it successfully finds the jar file, version information is extracted from that jar files and compared.
Please note: Our detection does not support if the applications are deployed with server configuration unpackWARs=false.
A remote attacker could exploit this vulnerability to execute arbitrary code.