513 matches found
Apache Struts Dynamic Method Remote Code Execution (CVE-2016-3081)
A remote code execution vulnerability exists in Apache's Struts 2 web application framework. The vulnerability is due to Dynamic Method invocation content. A remote unauthenticated attacker can exploit this vulnerability by sending a crafted HTTP request to a vulnerable server. A successful attac...
Apache Struts Dynamic Method Invocation Remote Code Execution
This module exploits a remote command execution vulnerability in Apache Struts version between 2.3.20 and 2.3.28 except 2.3.20.2 and 2.3.24.2. Remote Code Execution can be performed via method: prefix when Dynamic Method Invocation is enabled. This module requires Metasploit:...
OpenJDK: unrestricted deserialization of authentication credentials (JMX, 8144430)
It was discovered that the RMI server implementation in the JMX component in OpenJDK did not restrict which classes can be deserialized when deserializing authentication credentials. A remote, unauthenticated attacker able to connect to a JMX port could possibly use this flaw to trigger...
JDK: insecure use of invoke method in CORBA component, incorrect CVE-2013-3009 fix
The com.ibm.CORBA.iiop.ClientDelegate class in IBM SDK, Java Technology Edition 6 before SR16 FP25 6.0.16.25, 6 R1 before SR8 FP25 6.1.8.25, 7 before SR9 FP40 7.0.9.40, 7 R1 before SR3 FP40 7.1.3.40, and 8 before SR3 8.0.3.0 uses the invoke method of the java.lang.reflect.Method class in an...
Apache Struts 2.x < 2.3.28.1 Multiple Vulnerabilities
The version of Apache Struts running on the remote host is 2.x prior to 2.3.28.1. It is, therefore, affected by the following vulnerabilities : - An unspecified flaw exists, related to chained expressions, when Dynamic Method Invocation DMI is enabled. An unauthenticated, remote attacker can...
Struts2 method invocation remote code execution vulnerability, CVE-2 0 1 6-3 0 8 1 Analysis-vulnerability warning-the black bar safety net
0x00 vulnerability description 2 0 1 6 4 2 1, Struts2 official released two CVE, wherein CVE-2 0 1 6-3 0 8 1 Official rating is high. The main reason for the user to open the dynamic method call case, a would be attacker to achieve remote code execution attacks. From my own search of the situatio...
CVE-2016-3081
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions...
CVE-2016-3081
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions...
Design/Logic Flaw
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions...
CVE-2016-3081
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions...
CVE-2016-3081
CVE-2016-3081 concerns Apache Struts 2.x where Dynamic Method Invocation (DMI) is enabled. Affected ranges include 2.3.19–2.3.20.2, 2.3.21–2.3.24.1, and 2.3.25–2.3.28; exploitation via the method: prefix with chained expressions allows remote code execution. Exploit references exist (e.g., Exploi...
CVE-2016-3081
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions...
OpenJDK: unrestricted deserialization of authentication credentials (JMX, 8144430)
It was discovered that the RMI server implementation in the JMX component in OpenJDK did not restrict which classes can be deserialized when deserializing authentication credentials. A remote, unauthenticated attacker able to connect to a JMX port could possibly use this flaw to trigger...
OpenJDK: unrestricted deserialization of authentication credentials (JMX, 8144430)
It was discovered that the RMI server implementation in the JMX component in OpenJDK did not restrict which classes can be deserialized when deserializing authentication credentials. A remote, unauthenticated attacker able to connect to a JMX port could possibly use this flaw to trigger...
OpenJDK: unrestricted deserialization of authentication credentials (JMX, 8144430)
It was discovered that the RMI server implementation in the JMX component in OpenJDK did not restrict which classes can be deserialized when deserializing authentication credentials. A remote, unauthenticated attacker able to connect to a JMX port could possibly use this flaw to trigger...
OpenJDK: logging of RMI connection secrets (JMX, 8130710)
Unspecified vulnerability in the Java SE and Java SE Embedded components in Oracle Java SE 6u105, 7u91, and 8u66, and Java SE Embedded 8u65 allows remote authenticated users to affect confidentiality via vectors related to JMX...
OpenJDK: logging of RMI connection secrets (JMX, 8130710)
Unspecified vulnerability in the Java SE and Java SE Embedded components in Oracle Java SE 6u105, 7u91, and 8u66, and Java SE Embedded 8u65 allows remote authenticated users to affect confidentiality via vectors related to JMX...
OpenJDK: logging of RMI connection secrets (JMX, 8130710)
Unspecified vulnerability in the Java SE and Java SE Embedded components in Oracle Java SE 6u105, 7u91, and 8u66, and Java SE Embedded 8u65 allows remote authenticated users to affect confidentiality via vectors related to JMX...
OpenJDK: logging of RMI connection secrets (JMX, 8130710)
Unspecified vulnerability in the Java SE and Java SE Embedded components in Oracle Java SE 6u105, 7u91, and 8u66, and Java SE Embedded 8u65 allows remote authenticated users to affect confidentiality via vectors related to JMX...
OpenJDK: logging of RMI connection secrets (JMX, 8130710)
Unspecified vulnerability in the Java SE and Java SE Embedded components in Oracle Java SE 6u105, 7u91, and 8u66, and Java SE Embedded 8u65 allows remote authenticated users to affect confidentiality via vectors related to JMX...