Added: 05/06/2016
CVE: CVE-2016-3081
Apache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture.
The Dynamic Method Invocation feature allows the HTTP request to specify the name of the method to invoke.
A vulnerability in the Dynamic Method Invocation feature allows a remote attacker to execute arbitrary code by sending a specially crafted request containing a **method:**
prefix.
Upgrade to Apache Struts 2.3.20.3, 2.3.24.3, or 2.3.28.1 or higher, or disable Dynamic Method Invocation in the web application.
<https://struts.apache.org/docs/s2-032.html>
Exploit works on vulnerable versions of Apache Struts between 2.3.20 and 2.3.28 on Linux operating systems, and requires Dynamic Method Invocation to be enabled.
Linux