Years-Old Vulnerable Apache Struts 2 Versions See 387K Weekly Downloads

Over 387,000 users downloaded vulnerable Apache Struts versions this week. Exclusive Sonatype research reveals a high-risk flaw found by AI. Is your system at risk?...

VulnCheck KEV: CVE-2013-2134

Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135...

Log4Shell HTTP Scanner

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Log4Shell HTTP Scanner', 'Description' = %q Versions of Apache Log4j2 impacted by CVE-2021-44228 which allow JNDI features used in configuration,...

Critical Remote Code Execution Flaw Uncovered in Apache Struts 2

Summary: A significant vulnerability has been identified in the Apache Struts 2 open-source web application framework, labeled CVE-2023-50164. This flaw poses a severe risk of remote code execution and unauthorized path traversal. Threat Level - Red | Vulnerability Report For a detailed threat...

Decoding CVE-2023-50164: Unveiling the Apache Struts File Upload Exploit

In this blog entry, we discuss the technical details of CVE-2023-50164, a critical vulnerability that affects Apache Struts 2 and enables unauthorized path traversal...

Observed Exploitation Attempts of Struts 2 S2-066 Vulnerability (CVE-2023-50164)

The Akamai Security Intelligence Group has seen numerous exploitation attempts on Apache Struts 2 since December 7, 2023, when a critical CVE was released...

The Apache Software Foundation Updates Struts 2

The Apache Software Foundation has released security updates to address a vulnerability CVE-2023-50164 in Struts 2. A remote attacker could exploit this vulnerability to take control of an affected system. Users and administrators are encouraged to review the Apache Security Bulletinlink is...

CVE-2023-50164

An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this...

CVE-2023-50164

CVE-2023-50164 is an Apache Struts 2 directory traversal flaw in the file-upload parameter that can enable Remote Code Execution. Public details indicate exploitation attempts in the wild and advisories urging upgrading to Struts 2.5.33 or Struts 6.3.0.2 (or greater) to fix the issue. Affected co...

Denial Of Service (DoS)

Struts 2 Core is vulnerable to Denial Of Service DoS. The vulnerability exists when a multipart request has non-file form fields which allows an attacker to cause an application crash...

Denial Of Service (DoS)

Struts 2 Core is vulnerable to Denial Of Service DoS. The vulnerability exists due to improper list bound checks during a multipart request with non-file form fields. An attacker can submit a crafted request, resulting in an out of memory error if the struts.multipart.maxSize is a value greater o...

K43167094: Apache Struts 2 vulnerability CVE-2016-6795

Security Advisory Description In the Convention plugin in Apache Struts 2.3.20 through 2.3.30, it is possible to prepare a special URL which will be used for path traversal and execution of arbitrary code on server side. CVE-2016-6795 Impact There is no impact; F5 products are not affected by thi...

K17126: Apache Struts vulnerability CVE-2014-7809

Security Advisory Description Apache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable values, which allows remote attackers to bypass the CSRF protection mechanism. CVE-2014-7809 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status F5...

K93135205: Apache Struts 2 vulnerability CVE-2016-4436

Security Advisory Description Apache Struts 2 before 2.3.29 and 2.5.x before 2.5.1 allow attackers to have unspecified impact via vectors related to improper action name clean up. CVE-2016-4436 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status...

K10506844: Apache Struts 2 vulnerabilities CVE-2013-1966, CVE-2013-2115, CVE-2013-2134, and CVE-2013-2135

Security Advisory Description CVE-2013-1966 Apache Struts 2 before 2.3.14.1 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the 1 URL or 2 A tag. CVE-2013-2115 Apache Struts 2 before 2.3.14.2 allow...

K17449: Apache Struts 2 vulnerability CVE-2015-5169

Security Advisory Description Cross-site scripting XSS vulnerability in Apache Struts before 2.3.20. CVE-2015-5169 When debug mode is switched on in Apache Struts, under certain conditions, an arbitrary script may be executed in the 'Problem Report' screen. Affected versions are Struts 2.0.0 -...

K93174402: Apache Struts 2 vulnerability CVE-2016-3090

Security Advisory Description The TextParseUtil.translateVariables method in Apache Struts 2.x before 2.3.20 allows remote attackers to execute arbitrary code via a crafted OGNL expression with ANTLR tooling. CVE-2016-3090 Impact There is no impact; F5 products are not affected by this...

K14933: Apache Struts vulnerability CVE-2013-2251

Security Advisory Description Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted 1 action:, 2 redirect:, or 3 redirectAction: prefix. CVE-2013-2251 Impact None Security Advisory Status To determine if your release is kno...

K15168792: Apache Struts 2 vulnerability CVE-2016-4438

Security Advisory Description The REST plugin in Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression. CVE-2016-4438 Impact There is no impact; F5 products are not affected by this vulnerability. Security Advisory Status F5 Product...

K37024017: Apache Struts 2 vulnerability CVE-2016-3087

Security Advisory Description Apache Struts 2.3.20.x before 2.3.20.3, 2.3.24.x before 2.3.24.3, and 2.3.28.x before 2.3.28.1, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an ! exclamation mark operator to the REST Plugin...