Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2016-2022 and is owned by Tenable, Inc. or an Affiliate thereof.STRUTS_2_3_29_WIN_LOCAL.NASL
HistoryJun 24, 2016 - 12:00 a.m.

Apache Struts 2.x < 2.3.29 Multiple Vulnerabilities (S2-035 - S2-040)

2016-06-2400:00:00
This script is Copyright (C) 2016-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
106
JSON

The version of Apache Struts running on the remote Windows host is 2.x prior to 2.3.29. It is, therefore, affected by the following vulnerabilities :

  • A remote code execution vulnerability exists due to erroneously performing double OGNL evaluation of attribute values assigned to certain tags. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary code.
    (CVE-2016-0785)

  • A cross-site request forgery (XSRF) vulnerability exists due to improper validation of session tokens. An unauthenticated, remote attacker can exploit this, via a malicious OGNL expression, to bypass token validation and perform an XSRF attack. (CVE-2016-4430)

  • Multiple input validation issues exists that allow internal security mechanisms to be bypassed, allowing the manipulation of a return string which can be used to redirect users to a malicious website. This affects both the default action method the ‘getter’ action method.
    (CVE-2016-4431, CVE-2016-4433)

  • An unspecified flaw exists that is triggered during the cleanup of action names. An unauthenticated, remote attacker can exploit this, via a specially crafted payload, to perform unspecified actions. (CVE-2016-4436)

  • A remote code execution vulnerability exists in the REST plugin due to improper handling of OGNL expressions. An unauthenticated, remote attacker can exploit this, via a specially crafted OGNL expression, to execute arbitrary code. (CVE-2016-4438)

  • A remote code execution vulnerability exists in user tag attributes due to improper handling of OGNL expressions. An unauthenticated, remote attacker can exploit this, via a specially crafted double OGNL evaluation, to execute arbitrary code. (CVE-2016-4461)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(91812);
  script_version("1.17");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id(
    "CVE-2016-0785",
    "CVE-2016-4430",
    "CVE-2016-4431",
    "CVE-2016-4433",
    "CVE-2016-4436",
    "CVE-2016-4438",
    "CVE-2016-4461"
  );
  script_bugtraq_id(
    85066,
    91275,
    91277,
    91280,
    91281,
    91282,
    91284
  );

  script_name(english:"Apache Struts 2.x < 2.3.29 Multiple Vulnerabilities (S2-035 - S2-040)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host contains a web application that uses a Java
framework that is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Apache Struts running on the remote Windows host is 2.x
prior to 2.3.29. It is, therefore, affected by the following
vulnerabilities :

  - A remote code execution vulnerability exists due to
    erroneously performing double OGNL evaluation of
    attribute values assigned to certain tags. An
    unauthenticated, remote attacker can exploit this, via a
    specially crafted request, to execute arbitrary code.
    (CVE-2016-0785)

  - A cross-site request forgery (XSRF) vulnerability exists
    due to improper validation of session tokens. An
    unauthenticated, remote attacker can exploit this, via a
    malicious OGNL expression, to bypass token validation
    and perform an XSRF attack. (CVE-2016-4430)

  - Multiple input validation issues exists that allow
    internal security mechanisms to be bypassed, allowing
    the manipulation of a return string which can be used to
    redirect users to a malicious website. This affects both
    the default action method the 'getter' action method.
    (CVE-2016-4431, CVE-2016-4433)

  - An unspecified flaw exists that is triggered during the
    cleanup of action names. An unauthenticated, remote
    attacker can exploit this, via a specially crafted
    payload, to perform unspecified actions. (CVE-2016-4436)

  - A remote code execution vulnerability exists in the REST
    plugin due to improper handling of OGNL expressions. An
    unauthenticated, remote attacker can exploit this, via
    a specially crafted OGNL expression, to execute
    arbitrary code. (CVE-2016-4438)

  - A remote code execution vulnerability exists in user tag
    attributes due to improper handling of OGNL expressions. 
    An unauthenticated, remote attacker can exploit this, 
    via a specially crafted double OGNL evaluation, to 
    execute arbitrary code. (CVE-2016-4461)

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.");
  script_set_attribute(attribute:"see_also", value:"https://struts.apache.org/docs/s2-035.html");
  script_set_attribute(attribute:"see_also", value:"https://struts.apache.org/docs/s2-036.html");
  script_set_attribute(attribute:"see_also", value:"https://struts.apache.org/docs/s2-037.html");
  script_set_attribute(attribute:"see_also", value:"https://struts.apache.org/docs/s2-038.html");
  script_set_attribute(attribute:"see_also", value:"https://struts.apache.org/docs/s2-039.html");
  script_set_attribute(attribute:"see_also", value:"https://struts.apache.org/docs/s2-040.html");
  script_set_attribute(attribute:"see_also", value:"http://struts.apache.org/docs/version-notes-2329.html");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Apache Struts version 2.3.29 or later. Alternatively,
apply the workarounds referenced in the vendor advisory.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-4461");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"d2_elliot_name", value:"Apache Struts REST Plugin OGNL Expression Handling RCE");
  script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/06/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/06/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/06/24");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:struts");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2016-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("os_fingerprint.nasl", "struts_detect_win.nbin", "struts_detect_nix.nbin", "struts_config_browser_detect.nbin");
  script_require_ports("installed_sw/Apache Struts", "installed_sw/Struts");

  exit(0);
}

include('vcf.inc');


app_info = vcf::combined_get_app_info(app:'Apache Struts');
vcf::check_granularity(app_info:app_info, sig_segments:3);

constraints = [
  { 'min_version' : '2.0.0', 'max_version' : '2.3.28.1', 'fixed_display' : '2.3.29' }
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, flags:{xsrf:TRUE});
VendorProductVersionCPE
apachestrutscpe:/a:apache:struts

Related

ibm 14
openvas 6
f5 6
jvn 2
cve 7
osv 7
ubuntucve 7
prion 7
github 7
redhatcve 5
nessus 4
seebug 1
dsquare 1
checkpoint_advisories 1
myhack58 1
wallarmlab 1
oracle 2
ibm
ibm
Security Bulletin: Vulnerabilities in Apache Struts affect the IBM FlashSystem model V840
2018-06-18 00:32:32
Security Bulletin: Multiple vulnerabilities in Apache Struts affect SAN Volume Controller, Storwize family and FlashSystem V9000 products
2023-03-29 01:48:02
Security Bulletin: Vulnerabilities in Apache Struts affect the IBM FlashSystem models 840 and 900
2023-02-18 01:45:50
openvas
openvas
Apache Struts Security Update (S2-037, S2-038, S2-039, S2-040)
2016-11-18 00:00:00
Apache Struts Multiple Vulnerabilities (S2-037, S2-038, S2-039, S2-040) - Linux
2016-11-18 00:00:00
Apache Struts Unspecified Vulnerability (S2-035) - Linux
2016-11-18 00:00:00
f5
f5
K000139043 : Apache Struts vulnerabilities CVE-2016-4430, CVE-2016-4431, and CVE-2016-4433
2024-03-26 00:00:00
K93135205 : Apache Struts 2 vulnerability CVE-2016-4436
2017-08-03 00:00:00
SOL15168792 - Apache Struts 2 vulnerability CVE-2016-4438
2016-06-24 00:00:00
jvn
jvn
JVN#45093481: Multiple vulnerabilities in Apache Struts 2
2016-06-20 00:00:00
JVN#07710476: Apache Struts 2 vulnerable to remote code execution
2016-06-20 00:00:00
cve
cve
CVE-2016-4461
2017-10-16 16:29:00
CVE-2016-4436
2016-10-03 15:59:00
CVE-2016-4433
2016-07-04 22:59:00
osv
osv
CVE-2016-4461
2017-10-16 16:29:00
Apache Struts improper action name cleanup
2022-05-17 02:16:00
Apache Struts Open Redirect
2022-05-17 02:16:00
ubuntucve
ubuntucve
CVE-2016-4461
2017-10-16 00:00:00
CVE-2016-4436
2016-10-03 00:00:00
CVE-2016-4438
2016-07-04 00:00:00
prion
prion
Design/Logic Flaw
2017-10-16 16:29:00
Input validation
2016-10-03 15:59:00
Design/Logic Flaw
2016-07-04 22:59:00
github
github
Apache Struts improper action name cleanup
2022-05-17 02:16:00
Arbitrary code execution in Apache Struts 2
2022-05-14 00:54:13
Apache Struts CSRF Vulnerability
2022-05-17 00:29:27
redhatcve
redhatcve
CVE-2016-4436
2016-06-20 14:18:25
CVE-2016-4433
2016-06-25 16:30:02
CVE-2016-4430
2016-06-20 20:24:28
nessus
nessus
Apache Struts 2 REST Plugin OGNL Expression Handling RCE
2016-06-24 00:00:00
Apache Struts 2 Tag Attribute Double OGNL Evaluation RCE
2016-03-24 00:00:00
Apache Struts 2.x < 2.3.28 Multiple Vulnerabilities (S2-028) (S2-029) (S2-030) (S2-034)
2016-03-24 00:00:00
seebug
seebug
Struts2 remote code execution vulnerability S2-037)
2016-06-16 00:00:00
dsquare
dsquare
Apache Struts REST Plugin OGNL Expression Handling RCE
2018-04-20 00:00:00
checkpoint_advisories
checkpoint_advisories
Apache Struts REST plugin Remote Code Execution (CVE-2016-4438)
2016-06-23 00:00:00
myhack58
myhack58
S2-057 vulnerability in the original author's README: how to use automated tools find 5 RCE-vulnerability warning-the black bar safety net
2018-08-23 00:00:00
wallarmlab
wallarmlab
New Struts2 Remote Code Execution exploit caught in the wild
2017-03-09 00:15:54
oracle
oracle
Oracle Critical Patch Update Advisory - July 2017
2018-03-20 00:00:00
Oracle Critical Patch Update Advisory - April 2017
2017-04-18 00:00:00
JSON
Related for STRUTS_2_3_29_WIN_LOCAL.NASL
ibm14openvas6f56jvn2cve7osv7ubuntucve7prion7github7redhatcve5nessus4seebug1dsquare1checkpoint_advisories1myhack581wallarmlab1oracle2