SUSE CVE-2021-31805

The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag's attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %... syntax. Using forced OGNL evaluation on untrusted user input can lead to a...

CVE-2023-41835

When a Multipart request is performed but some of the fields exceed the maxStringLength limit, the upload files will remain in struts.multipart.saveDir even if the request has been denied. Users are recommended to upgrade to versions Struts 2.5.32 or 6.1.2.2 or Struts 6.3.0.1 or greater, which...

SUSE CVE-2023-34149

Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater...

com.addc:addc-svr-struts12 (>=2.5 <=2.6.1), com.addc:addc-web-struts12 (>=2.5 <=2.6.1) +75 more potentially affected by CVE-2023-34396 via struts:struts (>=1.1 <=1.2.9)

struts:struts MAVEN version =1.1, =2.5, =2.5, =0.8-M1, =0.9.0, =5.0, =5.0, =4.0.3, =4.0.4 - nanocontainer:nanocontainer-nanowar-sample =1.0-RC-1 and more Source cves: CVE-2023-34396 Source advisory: OSV:GHSA-4G42-GQRG-4633...

PT-2023-3364 · Apache · Apache Struts

Name of the Vulnerable Software and Affected Versions: Apache Struts versions through 2.5.30 Apache Struts versions through 6.1.2 Description: The issue is related to the allocation of resources without limits or throttling, which can lead to a denial of service via out of memory OOM due to not...

SUSE CVE-2013-2248

Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a parameter using the 1 redirect: or 2 redirectAction: prefix...

SUSE CVE-2016-3093

Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service block access to a web site via unspecified vectors...

SUSE CVE-2016-4430

Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery CSRF attacks via unspecified vectors...

SUSE CVE-2016-4433

Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request...

SUSE CVE-2020-17530

Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25...

com.addc:addc-svr-struts12 (>=2.5 <=2.6.1), com.addc:addc-web-struts12 (>=2.5 <=2.6.1) +75 more potentially affected by CVE-2015-0899 via struts:struts (>=1.1 <=1.2.9)

struts:struts MAVEN version =1.1, =2.5, =2.5, =0.8-M1, =0.9.0, =5.0, =5.0, =4.0.3, =4.0.4 - nanocontainer:nanocontainer-nanowar-sample =1.0-RC-1 and more Source cves: CVE-2015-0899 Source advisory: OSV:GHSA-CVVX-R33M-V7PQ...

VulnCheck KEV: CVE-2014-0114

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute...

com.octo.captcha:jcaptcha-all (=1.0-RC-2.0.1), com.thesett:struts-tools (>=0.8-M1 <=0.9.117) +33 more potentially affected by CVE-2006-1547 via struts:struts (>=1.1 <=1.2.8)

struts:struts MAVEN version =1.1, =0.8-M1, =0.9.0, =1.0.0, =3.2, =3.2, =3.2, =3.2, =1.1.5, =1.0.3, =1.0.4 and more Source cves: CVE-2006-1547 Source advisory: OSV:GHSA-7QWV-CWGJ-C8RJ...

com.octo.captcha:jcaptcha-all (=1.0-RC-2.0.1), com.thesett:struts-tools (>=0.8-M1 <=0.9.117) +33 more potentially affected by CVE-2006-1546 via struts:struts (>=1.1 <=1.2.8)

struts:struts MAVEN version =1.1, =0.8-M1, =0.9.0, =1.0.0, =3.2, =3.2, =3.2, =3.2, =1.1.5, =1.0.3, =1.0.4 and more Source cves: CVE-2006-1546 Source advisory: OSV:GHSA-VF8G-MPMW-QV87...

GHSA-X5X7-3V85-WPC4 Apache Struts allows entering a custom URL in a form field if built-in URLValidator is used

In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. NOTE: this...

Read: Apache Struts Patches ‘Critical Vulnerability’ CVE-2018-11776

On August 22, Apache Struts released a security patch fixing a critical remote code execution vulnerability. This vulnerability has been assigned CVE-2018-11776 S2-057 and affects Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16. The vulnerability was responsibly disclosed by Man Yue Mo fro...

New Apache Struts RCE Flaw Lets Hackers Take Over Web Servers

Semmle security researcher Man Yue Mo has disclosed a critical remote code execution vulnerability in the popular Apache Struts web application framework that could allow remote attackers to run malicious code on the affected servers. Apache Struts is an open source framework for developing web...

Apache Struts2 Remote Code Execution Vulnerability (CNVD-2016-04089)

Apache Struts is the United States Apache Apache Software Foundation is responsible for maintaining an open source project , is a set of open source MVC framework for creating enterprise-class Java Web applications , mainly provides two versions of the framework products , Struts 1 and Struts 2...

UBUNTU-CVE-2014-0114

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrar...