Lucene search
+L
ApacheStruts

23 matches found

CVE
CVE
added 2024/12/11 3:35 p.m.4418 views

CVE-2024-53677

CVE-2024-53677 affects Apache Struts 2 (from 2.0.0 up to, but not including, 6.4.0). The root cause is flawed file upload logic that can be manipulated to enable path traversal, potentially allowing a malicious file upload and, under certain conditions, remote code execution (RCE). Public PoCs an...

9.8CVSS6.5AI score0.78198EPSS
Web
CVE
CVE
added 2018/08/22 1:0 p.m.1790 views

CVE-2018-11776

The CVE-2018-11776 issue affects Apache Struts 2.x versions 2.3–2.3.34 and 2.5–2.5.16. The underlying condition is when alwaysSelectFullNamespace is true and a result or url tag lacks a namespace/value, and the upper namespace/action configuration also has no or a wildcard namespace, allowing rem...

9.3CVSS8.4AI score0.99993EPSS
In wild
CVE
CVE
added 2020/12/11 1:11 a.m.1430 views

CVE-2020-17530

CVE-2020-17530 describes a vulnerability in Apache Struts 2 where forced OGNL evaluation on raw user input in tag attributes can cause remote code execution. Affected products range from Struts 2.0.0 up to 2.5.25. The description states that evaluating untrusted input via the %{...} syntax enable...

9.8CVSS9.6AI score0.95922EPSS
In wild
CVE
CVE
added 2013/07/18 1:0 a.m.1199 views

CVE-2013-2251

CVE-2013-2251 affects Apache Struts 2 (versions 2.0.0–2.3.15) via improper handling of prefixed parameters in DefaultActionMapper (action:, redirect:, redirectAction:), allowing remote OGNL expression execution and arbitrary code execution. Some sources indicate this was addressed in Struts 2.3.1...

9.8CVSS8AI score0.99998EPSS
In wild
CVE
CVE
added 2017/07/10 4:0 p.m.1169 views

CVE-2017-9791

CVE-2017-9791 corresponds to an Apache Struts 1 vulnerability involving the Struts 1 plugin, where improper input handling could allow remote code execution via a malicious field value in a raw message to ActionMessage. Connected sources (CISA KEV) describe this as Apache Struts 1 Improper Input ...

9.8CVSS9.4AI score0.98931EPSS
In wild
CVE
CVE
added 2012/01/08 3:0 p.m.1151 views

CVE-2012-0391

CVE-2012-0391 affects Apache Struts 2 before 2.2.3.1, where the ExceptionDelegator interprets parameter values as OGNL expressions during certain exception handling for mismatched data types, enabling remote code execution via a crafted parameter. Multiple sources (CVE entry, CISA KEV, GHSA advis...

9.8CVSS8.5AI score0.75071EPSS
In wildWeb
CVE
CVE
added 2017/09/20 5:0 p.m.509 views

CVE-2017-12611

CVE-2017-12611 is an Apache Struts vulnerability where an unintentional Freemarker expression in a tag can lead to remote code execution (RCE). The initial description specifies affected releases from Struts 2.0.0–2.3.33 and 2.5–2.5.10.1, due to using a Freemarker expression instead of string lit...

9.8CVSS9.3AI score0.8802EPSS
CVE
CVE
added 2020/09/14 4:41 p.m.483 views

CVE-2019-0230

CVE-2019-0230 affects Apache Struts 2.0.0–2.5.20 and is caused by forced double OGNL evaluation on raw user input in tag attributes, potentially enabling remote code execution. Reported impact is remote code execution with high severity (CVE CVSSv3 9.8). Mitigation documented in the sources inclu...

9.8CVSS9.5AI score0.97399EPSS
In wildWeb
CVE
CVE
added 2023/12/07 8:49 a.m.415 views

CVE-2023-50164

CVE-2023-50164 is an Apache Struts 2 directory traversal flaw in the file-upload parameter that can enable Remote Code Execution. Public details indicate exploitation attempts in the wild and advisories urging upgrading to Struts 2.5.33 or Struts 6.3.0.2 (or greater) to fix the issue. Affected co...

9.8CVSS9.8AI score0.80819EPSS
Web
CVE
CVE
added 2022/04/12 3:25 p.m.349 views

CVE-2021-31805

The CVE-2021-31805 entry describes a Remote Code Execution risk in Apache Struts caused by forced OGNL evaluation in tag attributes. The issue arises when untrusted input is evaluated via %{...}, enabling double OGNL evaluation and potentially remote code execution. Affected products span Apache ...

9.8CVSS9.8AI score0.85315EPSS
In wild
CVE
CVE
added 2019/11/01 1:57 p.m.295 views

CVE-2011-3923

CVE-2011-3923 affects Apache Struts 2 prior to 2.3.1.2, where a flaw in the ParameterInterceptor allows untrusted input to be treated as OGNL expressions, bypassing protections and enabling remote command execution. Public details indicate the vulnerability enables an attacker to execute arbitrar...

9.8CVSS9.5AI score0.88829EPSS
Web
CVE
CVE
added 2016/04/26 2:0 p.m.247 views

CVE-2016-3081

CVE-2016-3081 concerns Apache Struts 2.x where Dynamic Method Invocation (DMI) is enabled. Affected ranges include 2.3.19–2.3.20.2, 2.3.21–2.3.24.1, and 2.3.25–2.3.28; exploitation via the method: prefix with chained expressions allows remote code execution. Exploit references exist (e.g., Exploi...

9.3CVSS8.2AI score0.9373EPSS
Web
CVE
CVE
added 2013/07/16 6:0 p.m.242 views

CVE-2013-2134

CVE-2013-2134: Apache Struts 2 before 2.3.14.3 allows remote OGNL code execution through a crafted action name during wildcard matching. IBM and other bulletins link this family of Struts vulnerabilities to exposed management interfaces and unauthorized access risks, with remediation typically de...

9.3CVSS8.1AI score0.70211EPSS
In wild
CVE
CVE
added 2016/07/04 10:0 p.m.177 views

CVE-2016-4438

CVE-2016-4438 affects Apache Struts 2 REST plugin. The REST plugin in Struts 2 versions 2.3.19 through 2.3.28.1 is vulnerable to remote code execution via a crafted OGNL expression due to improper handling of OGNL expressions. The vulnerability could allow an attacker to execute arbitrary code on...

9.8CVSS9.4AI score0.17171EPSS
Web
CVE
CVE
added 2013/07/10 7:0 p.m.163 views

CVE-2013-1966

CVE-2013-1966 (and related Struts 2 OGNL flaws) enables remote code execution via crafted requests that abuse includeParams handling in the URL or A tag. Public docs in IBM advisories note affected IBM products (e.g., Sterling Order Management, Storwize Unified GUI/Storwize platforms) and specify...

9.3CVSS8AI score0.71767EPSS
Web
CVE
CVE
added 2013/07/10 7:0 p.m.145 views

CVE-2013-1965

CVE-2013-1965 affects Apache Struts 2, specifically the Struts Showcase App 2.0.0 through 2.3.13 (Struts 2 before 2.3.14.3). The vulnerability allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is mishandled during a redirect, enabling remote code execution o...

9.3CVSS8AI score0.93813EPSS
CVE
CVE
added 2013/07/10 7:0 p.m.117 views

CVE-2013-2115

CVE-2013-2115 is an Apache Struts 2 remote code execution vulnerability. It allows an attacker to run OGNL code by sending a crafted request that is mishandled when includeParams is used in either the URL or an A tag, stemming from an incomplete fix for CVE-2013-1966. Connected IBM advisories ind...

9.3CVSS8.1AI score0.72778EPSS
CVE
CVE
added 2017/09/20 5:0 p.m.116 views

CVE-2016-6795

CVE-2016-6795 affects Apache Struts 2, specifically the Convention plugin in Struts 2.3.x prior to 2.3.31 and 2.5.x prior to 2.5.5. The issue permits an attacker to craft a special URL that enables path traversal and execution of arbitrary code on the server side. According to NVD, the CVSS v2 ba...

9.8CVSS9.5AI score0.08438EPSS
CVE
CVE
added 2016/06/07 6:0 p.m.112 views

CVE-2016-3087

CVE-2016-3087 affects Apache Struts 2.x when Dynamic Method Invocation is enabled and the REST Plugin is used. The vulnerability allows remote code execution via vectors related to the ! (exclamation mark) operator. Affected versions include Struts 2.3.20.x before 2.3.20.3, 2.3.24.x before 2.3.24...

9.8CVSS9.5AI score0.81087EPSS
Web
CVE
CVE
added 2013/07/16 6:0 p.m.105 views

CVE-2013-2135

CVE-2013-2135 affects Apache Struts 2 prior to 2.3.14.3, allowing remote execution via OGNL when a crafted value contains both "${}" and "%{}" sequences that cause double evaluation. The issue is documented in multiple sources (S2-015) and is tied to how includeParams is handled in certain reques...

9.3CVSS8.1AI score0.13828EPSS
In wild
CVE
CVE
added 2016/04/12 4:0 p.m.98 views

CVE-2016-0785

CVE-2016-0785 affects Apache Struts 2.x; vulnerability arises from a double OGNL evaluation in tag attributes (forced OGNL). Affected versions include Struts 2.x before 2.3.29 (with references across IBM advisories and OSVs). Exploitation status is not detailed in the provided documents. Remediat...

9CVSS8.7AI score0.08812EPSS
CVE
CVE
added 2016/10/03 3:0 p.m.93 views

CVE-2016-4436

Summary of CVE-2016-4436 : Apache Struts 2 is affected by an unspecified impact vulnerability due to improper action name cleanup. The CVE entry covers versions 2.3. before 2.3.29 and 2.5.x before 2.5.1. Connected IBM and IBM-related advisories explicitly reference this CVE and reiterate that upg...

9.8CVSS8.5AI score0.06549EPSS
CVE
CVE
added 2017/10/16 4:0 p.m.80 views

CVE-2016-4461

CVE-2016-4461: Apache Struts vulnerability causing remote code execution via forced double OGNL evaluation. IBM/security bulletins show affected IBM FlashSystem products (V840, V900, Storwize/SAN volumes) with vulnerable VRMFs and the need to upgrade to fixed code levels. IBM Bulletins list affec...

9CVSS8.8AI score0.0802EPSS