Atlassian FishEye Struts 2 ParametersInterceptor Remote Code Execution Exploit

The ParametersInterceptor class of XWork framework, part of the Struts 2 web framework, as shipped with Atlassian FishEye, does not properly restrict access to server-side objects. This can be exploited by remote unauthenticated attackers to modify server-side objects and e.g. execute arbitrary commands via specially crafted OGNL (Object-Graph Navigation Language) expressions.
Vulnerabilty ID: 
Released Date: 
Sunday, September 5, 2010 - 19:00