Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04YzZqLWZmbWYtcTZ2bc4AATRI
Apache Struts RCE Vulnerability
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.
Permalink: https://github.com/advisories/GHSA-8c6j-ffmf-q6vmJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04YzZqLWZmbWYtcTZ2bc4AATRI
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: 6 months ago
CVSS Score: 8.1
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-8c6j-ffmf-q6vm, CVE-2016-3081
References:
- https://nvd.nist.gov/vuln/detail/CVE-2016-3081
- https://struts.apache.org/docs/s2-032.html
- https://www.exploit-db.com/exploits/39756/
- http://packetstormsecurity.com/files/136856/Apache-Struts-2.3.28-Dynamic-Method-Invocation-Remote-Code-Execution.html
- http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20160527-01-struts2-en
- http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
- http://www.rapid7.com/db/modules/exploit/linux/http/struts_dmi_exec
- http://www.rapid7.com/db/modules/exploit/multi/http/struts_dmi_exec
- https://web.archive.org/web/20210123152457/http://www.securityfocus.com/bid/91787
- https://web.archive.org/web/20210225192113/http://www.securityfocus.com/bid/87327
- https://web.archive.org/web/20210226011418/http://www.securitytracker.com/id/1035665
- https://github.com/advisories/GHSA-8c6j-ffmf-q6vm
Affected Packages
maven:org.apache.struts:struts2-core
Dependent packages: 194Dependent repositories: 6,183
Downloads:
Affected Version Ranges: >= 2.3.21, <= 2.3.24.2, >= 2.3.25, <= 2.3.28, >= 2.3.19, <= 2.3.20.2
Fixed in: 2.3.24.3, 2.3.28.1, 2.3.20.3
All affected versions: 2.3.28
All unaffected versions: 2.0.5, 2.0.6, 2.0.8, 2.0.9, 2.0.11, 2.0.12, 2.0.14, 2.1.2, 2.1.6, 2.1.8, 2.2.1, 2.2.3, 2.3.1, 2.3.3, 2.3.4, 2.3.7, 2.3.8, 2.3.12, 2.3.14, 2.3.15, 2.3.16, 2.3.20, 2.3.24, 2.3.29, 2.3.30, 2.3.31, 2.3.32, 2.3.33, 2.3.34, 2.3.35, 2.3.36, 2.3.37, 2.5.1, 2.5.2, 2.5.5, 2.5.8, 2.5.10, 2.5.12, 2.5.13, 2.5.14, 2.5.16, 2.5.17, 2.5.18, 2.5.20, 2.5.22, 2.5.25, 2.5.26, 2.5.27, 2.5.28, 2.5.29, 2.5.30, 2.5.31, 2.5.32, 2.5.33, 6.0.0, 6.0.3, 6.1.1, 6.1.2, 6.2.0, 6.3.0, 6.4.0