Atlassian FishEye Struts 2 ParametersInterceptor Remote Code Execution Exploit

The ParametersInterceptor class of XWork framework, part of the Struts 2 web framework, as shipped with Atlassian FishEye, does not properly restrict access to server-side objects. This can be exploited by remote unauthenticated attackers to modify server-side objects and e.g. execute arbitrary commands via specially crafted OGNL (Object-Graph Navigation Language) expressions.
Vulnerabilty ID: 
CVE-2010-1870
Product Version: 
10.5
Released Date: 
Monday, September 6, 2010 - 00:00