Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS04YzZqLWZmbWYtcTZ2bc4AATRI

Apache Struts RCE Vulnerability

Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.

Permalink: https://github.com/advisories/GHSA-8c6j-ffmf-q6vm
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04YzZqLWZmbWYtcTZ2bc4AATRI
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: 6 months ago

CVSS Score: 8.1
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-8c6j-ffmf-q6vm, CVE-2016-3081
References:

• https://nvd.nist.gov/vuln/detail/CVE-2016-3081
• https://struts.apache.org/docs/s2-032.html
• https://www.exploit-db.com/exploits/39756/
• http://packetstormsecurity.com/files/136856/Apache-Struts-2.3.28-Dynamic-Method-Invocation-Remote-Code-Execution.html
• http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20160527-01-struts2-en
• http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
• http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
• http://www.rapid7.com/db/modules/exploit/linux/http/struts_dmi_exec
• http://www.rapid7.com/db/modules/exploit/multi/http/struts_dmi_exec
• https://web.archive.org/web/20210123152457/http://www.securityfocus.com/bid/91787
• https://web.archive.org/web/20210225192113/http://www.securityfocus.com/bid/87327
• https://web.archive.org/web/20210226011418/http://www.securitytracker.com/id/1035665
• https://github.com/advisories/GHSA-8c6j-ffmf-q6vm

Blast Radius: 30.7

Affected Packages