GHSA-8FX9-5HX8-CRHM Apache Struts 2.0.1 uses an unintentional expression in a Freemarker tag instead of string literal

In Apache Struts 2.0.1 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack...

org.apache.struts:struts2-assembly (>=2.2.1 <=2.5.14.1), org.apache.struts:struts2-rest-showcase (>=2.1.2 <=2.5.14.1) +5 more potentially affected by CVE-2018-1327 via org.apache.struts:struts2-rest-plugin (>=2.1.2 <=2.5.14.1)

org.apache.struts:struts2-rest-plugin MAVEN version =2.1.2, =2.2.1, =2.1.2, =2.0-RC2.3, =1.0, =1.0.1 - org.meruvian.yama:yama-struts-core =1.0.1 Source cves: CVE-2018-1327 Source advisory: OSV:GHSA-38CR-2PH5-FRR9...

Apache Struts REST Plugin can potentially allow a DoS attack

The Apache Struts REST Plugin is using XStream library which is vulnerable and allow perform a DoS attack when using a malicious request with specially crafted XML payload. Upgrade to the Apache Struts version 2.5.16 and switch to an optional Jackson XML handler as described here...

GHSA-38CR-2PH5-FRR9 Apache Struts REST Plugin can potentially allow a DoS attack

The Apache Struts REST Plugin is using XStream library which is vulnerable and allow perform a DoS attack when using a malicious request with specially crafted XML payload. Upgrade to the Apache Struts version 2.5.16 and switch to an optional Jackson XML handler as described here...

Security Bulletin: IBM Security Guardium is affected by a Public disclosed vulnerability from Apache Struts vulnerability

Summary IBM Security Guardium has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2018-1327 DESCRIPTION: Apache Struts is vulnerable to a denial of service. By sending a specially crafted XML request using the XStream handler with the Struts REST plugin, a remote attacker...

Security Bulletin: IBM Security Guardium is affected by a Publicly disclosed Apache Struts vulnerability

Summary IBM Security Guardium has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2018-11776 DESCRIPTION: Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when using results with no namespace and its upper action...

2018 Has Been Open Season on Open Source Supply Chains

As the number of open source components used in software supply chains shoot up, hackers are going along for the ride. Increasingly threat actors are planting bad code in open-source repositories in the hopes to harvest the flaws later when used in larger banking, manufacturing and healthcare Dev...

Security Bulletin: Public disclosed vulnerability from Apache Struts affects IBM Spectrum LSF Explorer

Summary Public disclosed vulnerability CVE-2018-11776 from Apache Struts affects IBM Spectrum LSF Explorer. Vulnerability Details CVEID: CVE-2018-11776 DESCRIPTION: Apache Struts namespace code execution CVSS Base Score: 9.8 CVSS Temporal Score: See for the current score CVSS Environmental Score:...

Security Bulletin: Public disclosed vulnerability from Apache Struts affects IBM Platform Application Center

Summary Public disclosed vulnerability CVE-2018-11776 from Apache Struts affects IBM Platform Application Center. Vulnerability Details CVEID: CVE-2018-11776 DESCRIPTION: Apache Struts namespace code execution CVSS Base Score: 9.8 CVSS Temporal Score: See for the current score CVSS Environmental...

UK Regulator Fines Equifax £500,000 Over 2017 Data Breach

Atlanta-based consumer credit reporting agency Equifax has been issued a £500,000 fine by the UK's privacy watchdog for its last year's massive data breach that exposed personal and financial data of hundreds of millions of its customers. Yes, £500,000—that's the maximum fine allowed by the UK's...

Apache Struts & SonicWall’s GMS exploits key targets of Mirai & Gafgyt IoT malware

By Waqas Security researchers at Palo Alto Networks’ Unit 42 have discovered modified versions of the notorious Mirai and Gafgyt Internet of Things IoT malware. The malware have the capability of targeting flaws that affect Apache Struts and SonicWall Global Management System GMS. Moreover, the...

Apache Struts Unsupported Version Detection (deprecated)

This plugin has been deprecated. To identify unsupported instances of this product, search the plugin feed for Apache Struts SEoL. %NASLMINLEVEL 70300 C Tenable Network Security, Inc. include'deprecatednasllevel.inc'; include'compat.inc'; if description scriptid117461; scriptversion"1.13";...

Apache Struts 2 OGNL Console Detected

Apache Struts 2 installed on the remote host is running a OGNL console. While this environment can help speed up development of web applications, it can leak information about the underlying web applications as well as the installation of Struts, Java, and other related items on the remote host a...

Apache Struts 2.x < 2.3.20 Multiple ClassLoader Manipulation Vulnerabilities (S2-021)

The version of Apache Struts running on the remote host is 2.x prior to to 2.3.20. It, therefore, is affected by multiple class loader vulnerabilities: - A class loader vulnerability exists in ParametersInterceptor due to improper access restriction to the getClass method. A remote, unauthenticat...

1: Class Loader manipulation via request parameters

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrar...

Apache Struts 2 DevMode Enabled

Apache Struts 2 installed on the remote host is configured to operate in development mode devMode. While this environment can help speed up development of web applications, it can leak information about the underlying web applications as well as the installation of Struts, Java, and other related...

Apache Struts 2.x < 2.3.14.2 Remote Code Execution Vulnerability (S2-013)

The version of Apache Struts running on the remote host is 2.x prior to 2.3.14.2. It, therefore, is affected by a remote code execution vulnerability in the URL and Anchor tags due to a flaw in handling the includeParams attribute. A remote, unauthenticated attacker can exploit this issue, via a...

Apache Struts 2.x < 2.3.4.1 Multiple Vulnerabilities (S2-010) (S2-011)

The version of Apache Struts running on the remote host is 2.x prior to 2.3.4.1. It, therefore, is affected by multiple vulnerabilities including a Denial of Service DoS and cross-site request forgery XSRF vulnerabilities. Note that Nessus has not tested for these issues but has instead relied on...

Apache Struts 2.x < 2.3.1.2 RCE (S2-009)

The version of Apache Struts running on the remote host is 2.x prior to 2.3.1.2. It, therefore, is affected a possible remote command execution vulnerability. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number...

Apache Struts 2.x < 2.3.15.2 Dynamic Method Invocation Multiple Vulnerabilities (S2-019)

The version of Apache Struts running on the remote host is 2.x prior to 2.3.15.2. It, therefore, is affected by multiple Dynamic Method Invocation DMI vulnerabilities as DMI is enabled by default. Note that Nessus has not tested for these issues but has instead relied only on the application's...