6 matches found
CVE-2012-0391
CVE-2012-0391 affects Apache Struts 2 before 2.2.3.1, where the ExceptionDelegator interprets parameter values as OGNL expressions during certain exception handling for mismatched data types, enabling remote code execution via a crafted parameter. Multiple sources (CVE entry, CISA KEV, GHSA advis...
CVE-2006-1547
CVE-2006-1547 affects Apache Struts 1.x before 1.2.9 when used with BeanUtils 1.7. The vulnerability arises from ActionForm handling a multipart/form-data form where a parameter name references getMultipartRequestHandler, granting access to elements in CommonsMultipartRequestHandler and BeanUtils...
CVE-2020-26259
CVE-2020-26259 affects XStream in IBM Storage Copy Data Management (2.2.0.0–2.2.25.0). Unmarshalling user-supplied data could allow arbitrary file deletion on the host if the process runs with sufficient privileges. IBM’s remediation for the affected products is to upgrade to 2.2.26.0 (Linux) and...
CVE-2020-26258
CVE-2020-26258 is a Server-Side Forgery/SSRF via XStream unmarshalling in versions prior to 1.4.15. Public docs corroborate exploitation possible by crafted input streams to access internal resources, with Java 15+ mitigating the issue and a whitelist-based Security Framework recommended over the...
CVE-2023-34396
CVE-2023-34396 affects Apache Struts; a DoS condition arises when processing multipart requests with non-file fields, allowing remote attackers to exhaust resources. The entry covers Struts up to 2.5.30 and 6.1.2, with remediation by upgrading to Struts 2.5.31 or 6.1.2.1 (or later). IBM security ...
CVE-2023-34149
CVE-2023-34149 describes a denial-of-service flaw in Apache Struts caused by a vulnerability in how setProperty() is handled compared to getProperty(). The issue affects Struts up to 2.5.30 and up to 6.1.2, with remediation available by upgrading to Struts 2.5.31 or 6.1.2.1 (or greater). IBM and ...