struts2-core is vulnerable to remote code execution attacks. The vulnerability exists when expression literals, or forcing expression in Freemarker tags, are used as request values. The default Freemark configuration allows ObjectConstructor, Execurt, and freemarker.template.utility.JythonRuntime to be resolved, and enabling the remote code execution weakness.
www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-003.txt
www.jd.com/
www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html
www.securityfocus.com/bid/100829
cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.34
cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.12
kb.netapp.com/support/s/article/ka51A000000CgttQAC/NTAP-20170911-0001
struts.apache.org/docs/s2-053.html