CVE-2017-9793

The REST Plugin in Apache Struts 2.1.x, 2.3.7 through 2.3.33 and 2.5 through 2.5.12 is using an outdated XStream library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted XML payload...

CVE-2017-12611

In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack...

CVE-2017-9804

In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. NOTE: this...

CVE-2016-6795

In the Convention plugin in Apache Struts 2.3.x before 2.3.31, and 2.5.x before 2.5.5, it is possible to prepare a special URL which will be used for path traversal and execution of arbitrary code on server side...

Path traversal

In the Convention plugin in Apache Struts 2.3.x before 2.3.31, and 2.5.x before 2.5.5, it is possible to prepare a special URL which will be used for path traversal and execution of arbitrary code on server side...

CVE-2016-8738

In Apache Struts 2.5 through 2.5.5, if an application allows entering a URL in a form field and the built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL...

CVE-2017-12611

CVE-2017-12611 is an Apache Struts vulnerability where an unintentional Freemarker expression in a tag can lead to remote code execution (RCE). The initial description specifies affected releases from Struts 2.0.0–2.3.33 and 2.5–2.5.10.1, due to using a Freemarker expression instead of string lit...

CVE-2017-9793

The REST Plugin in Apache Struts 2.1.x, 2.3.7 through 2.3.33 and 2.5 through 2.5.12 is using an outdated XStream library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted XML payload...

CVE-2016-8738

CVE-2016-8738 affects Apache Struts 2.5 to 2.5.5. The issue arises when an application accepts a URL in a form field and uses the built-in URLValidator; a specially crafted URL can be used to overload the server during URL validation, yielding a DoS effect. The provided documents confirm the vuln...

CVE-2017-9804

In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. NOTE: this...

CVE-2016-8738

In Apache Struts 2.5 through 2.5.5, if an application allows entering a URL in a form field and the built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL...

CVE-2017-12611

In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack...

CVE-2016-6795

In the Convention plugin in Apache Struts 2.3.x before 2.3.31, and 2.5.x before 2.5.5, it is possible to prepare a special URL which will be used for path traversal and execution of arbitrary code on server side...

CVE-2016-6795

CVE-2016-6795 affects Apache Struts 2, specifically the Convention plugin in Struts 2.3.x prior to 2.3.31 and 2.5.x prior to 2.5.5. The issue permits an attacker to craft a special URL that enables path traversal and execution of arbitrary code on the server side. According to NVD, the CVSS v2 ba...

CVE-2017-9804

CVE-2017-9805 affects Apache Struts 2 with the REST plugin that uses an XStreamHandler for XML deserialization without type filtering. The vulnerability allows remote code execution when processing crafted XML payloads. Affected versions are Apache Struts 2.x prior to 2.3.34 and 2.5.x prior to 2....

CVE-2017-9793

CVE-2017-9793 affects Apache Struts 2 REST plugin in 2.1.x and 2.3.x/2.5.x branches where an outdated XStream library is used, enabling DoS via a crafted XML payload during deserialization. The related connected sources corroborate a broader issue with the Struts REST plugin using XStream without...

Apache Struts, RCE and Managing App Risk

People used to argue about whether cyber security is a business problem or a technical problem. But this frames the issue poorly. “Problem” and “solution” imply that there is a definitive “solve.” Cybercrime isn’t a technical problem that can be definitively solved. It is an inherent business ris...

Apache Struts 2 REST Plugin XStream Denial of Service (CVE-2017-9793)

A denial-of-service vulnerability exists in the Apache Struts 2 REST plugin. The vulnerability is due improper validation of XML input by the XStream library, during the deserialization process. A remote attacker could exploit this vulnerability by sending a crafted XML payload to the target serv...

Struts 2 S2-053 flaws vulnerability bug thematic research with the POC-the exploit-warning-the black bar safety net

Flaws vulnerability bug overview Flaws vulnerability bug example Long distance code to fulfil flaws vulnerability bug CVE-ID CVE-2017-1000112 Persecution of the grade High-risk Impact version Struts 2.0.1 Struts 2.3.33 Struts 2.5 – Struts 2.5.10 Flaws vulnerability bug persecution When the...

CVE-2017-9805

The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads...