Security Vulnerabilities fixed in Apache Struts S2-021
Description
The excluded parameter pattern introduced in version 2.3.16.1 to block access to getClass() method wasn't sufficient. It is possible to omit that with specially crafted requests. Also CookieInterceptor is vulnerable for the same kind of attack when it was configured to accept all cookies (when "*" is used to configurecookiesNameparam).
Affected Applications
Apache Struts