Struts Security Vulnerabilities and Issues — Struts CVE List

Lucene search

ApacheStruts

18 matches found

CVE•added 2006/03/30 10:2 p.m.•1047 views

CVE-2006-1547

ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9 with BeanUtils 1.7 allows remote attackers to cause a denial of service via a multipart/form-data encoded form with a parameter name that references the public getMultipartRequestHandler method, which provides further access to elem...

7.8CVSS7.2AI score0.1367EPSS

CVE•added 2014/04/30 10:49 a.m.•270 views

CVE-2014-0114

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary ...

7.5CVSS8.4AI score0.92739EPSS

CVE•added 2020/12/16 1:15 a.m.•262 views

CVE-2020-26258

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a Server-Side Forgery Request vulnerability can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are not publicly availa...

7.7CVSS8.1AI score0.9368EPSS

CVE•added 2016/07/04 10:59 p.m.•139 views

CVE-2015-0899

The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter.

7.5CVSS7.4AI score0.86907EPSS

CVE•added 2020/09/14 5:15 p.m.•128 views

CVE-2019-0233

An access permission override in Apache Struts 2.0.0 to 2.5.20 may cause a Denial of Service when performing a file upload.

7.5CVSS8.1AI score0.06858EPSS

CVE•added 2006/03/30 10:2 p.m.•114 views

CVE-2006-1546

Apache Software Foundation (ASF) Struts before 1.2.9 allows remote attackers to bypass validation via a request with a 'org.apache.struts.taglib.html.Constants.CANCEL' parameter, which causes the action to be canceled but would not be detected from applications that do not use the isCancelled check...

7.5CVSS6.3AI score0.01612EPSS

CVE•added 2014/04/29 10:37 a.m.•104 views

CVE-2014-0112

ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-00...

7.5CVSS7.3AI score0.93075EPSS

CVE•added 2023/06/14 8:15 a.m.•104 views

CVE-2023-34396

Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater

7.5CVSS5.7AI score0.00115EPSS

CVE•added 2017/07/13 3:29 p.m.•103 views

CVE-2017-9787

When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack. Solution is to upgrade to Apache Struts version 2.5.12 or 2.3.33.

7.5CVSS7.4AI score0.13883EPSS

CVE•added 2017/09/20 5:29 p.m.•103 views

CVE-2017-9793

The REST Plugin in Apache Struts 2.1.x, 2.3.7 through 2.3.33 and 2.5 through 2.5.12 is using an outdated XStream library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted XML payload.

7.5CVSS7.4AI score0.13427EPSS

CVE•added 2017/09/20 5:29 p.m.•102 views

CVE-2017-9804

In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. NOTE: this vulnerabil...

7.5CVSS6.4AI score0.12074EPSS

CVE•added 2014/04/29 10:37 a.m.•96 views

CVE-2014-0113

CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists beca...

7.5CVSS7.3AI score0.93075EPSS

CVE•added 2023/12/05 9:15 a.m.•89 views

CVE-2023-41835

When a Multipart request is performed but some of the fields exceed the maxStringLength limit, the upload files will remain in struts.multipart.saveDir even if the request has been denied.Users are recommended to upgrade to versions Struts 2.5.32 or 6.1.2.2 or Struts 6.3.0.1 or greater, which fixe ...

7.5CVSS7.3AI score0.00197EPSS

CVE•added 2018/03/27 9:29 p.m.•77 views

CVE-2018-1327

The Apache Struts REST Plugin is using XStream library which is vulnerable and allow perform a DoS attack when using a malicious request with specially crafted XML payload. Upgrade to the Apache Struts version 2.5.16 and switch to an optional Jackson XML handler as described here http://struts.apac...

7.5CVSS7.4AI score0.03356EPSS

CVE•added 2017/08/29 3:29 p.m.•69 views

CVE-2015-5209

Apache Struts 2.x before 2.3.24.1 allows remote attackers to manipulate Struts internals, alter user sessions, or affect container settings via vectors involving a top object.

7.5CVSS7.3AI score0.03619EPSS

CVE•added 2015/07/16 2:59 p.m.•66 views

CVE-2015-1831

The default exclude patterns (excludeParams) in Apache Struts 2.3.20 allow remote attackers to "compromise internal state of an application" via unspecified vectors.

7.5CVSS6.5AI score0.06005EPSS

CVE•added 2016/07/04 10:59 p.m.•60 views

CVE-2016-4433

Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request.

7.5CVSS7.7AI score0.10632EPSS

CVE•added 2016/07/04 10:59 p.m.•54 views

CVE-2016-4431

Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks by leveraging a default method.

7.5CVSS7.8AI score0.22062EPSS