A vulnerability is found in the Convention plugin of Apache Struts that could allow path traversal and arbitrary code execution. A remote attacker could exploit the vulnerability by sending a special crafted URL to the affected system when the Convention plugin is enabled.
A successful attack could lead to information disclosure and arbitrary code execution on an affected system.
Users should upgrade Apache Struts to 2.3.31 or 2.5.2 to address the issue. The update is available at:
Users of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.
http://struts.apache.org/docs/s2-042.html
https://www.hkcert.org/my_url/zh/alert/16102002
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6795