23 matches found
CVE-2024-53677
CVE-2024-53677 affects Apache Struts 2 (from 2.0.0 up to, but not including, 6.4.0). The root cause is flawed file upload logic that can be manipulated to enable path traversal, potentially allowing a malicious file upload and, under certain conditions, remote code execution (RCE). Public PoCs an...
CVE-2018-11776
The CVE-2018-11776 issue affects Apache Struts 2.x versions 2.3–2.3.34 and 2.5–2.5.16. The underlying condition is when alwaysSelectFullNamespace is true and a result or url tag lacks a namespace/value, and the upper namespace/action configuration also has no or a wildcard namespace, allowing rem...
CVE-2020-17530
CVE-2020-17530 describes a vulnerability in Apache Struts 2 where forced OGNL evaluation on raw user input in tag attributes can cause remote code execution. Affected products range from Struts 2.0.0 up to 2.5.25. The description states that evaluating untrusted input via the %{...} syntax enable...
CVE-2013-2251
CVE-2013-2251 affects Apache Struts 2 (versions 2.0.0–2.3.15) via improper handling of prefixed parameters in DefaultActionMapper (action:, redirect:, redirectAction:), allowing remote OGNL expression execution and arbitrary code execution. Some sources indicate this was addressed in Struts 2.3.1...
CVE-2017-9791
CVE-2017-9791 corresponds to an Apache Struts 1 vulnerability involving the Struts 1 plugin, where improper input handling could allow remote code execution via a malicious field value in a raw message to ActionMessage. Connected sources (CISA KEV) describe this as Apache Struts 1 Improper Input ...
CVE-2012-0391
CVE-2012-0391 affects Apache Struts 2 before 2.2.3.1, where the ExceptionDelegator interprets parameter values as OGNL expressions during certain exception handling for mismatched data types, enabling remote code execution via a crafted parameter. Multiple sources (CVE entry, CISA KEV, GHSA advis...
CVE-2017-12611
CVE-2017-12611 is an Apache Struts vulnerability where an unintentional Freemarker expression in a tag can lead to remote code execution (RCE). The initial description specifies affected releases from Struts 2.0.0–2.3.33 and 2.5–2.5.10.1, due to using a Freemarker expression instead of string lit...
CVE-2019-0230
CVE-2019-0230 affects Apache Struts 2.0.0–2.5.20 and is caused by forced double OGNL evaluation on raw user input in tag attributes, potentially enabling remote code execution. Reported impact is remote code execution with high severity (CVE CVSSv3 9.8). Mitigation documented in the sources inclu...
CVE-2023-50164
CVE-2023-50164 is an Apache Struts 2 directory traversal flaw in the file-upload parameter that can enable Remote Code Execution. Public details indicate exploitation attempts in the wild and advisories urging upgrading to Struts 2.5.33 or Struts 6.3.0.2 (or greater) to fix the issue. Affected co...
CVE-2021-31805
The CVE-2021-31805 entry describes a Remote Code Execution risk in Apache Struts caused by forced OGNL evaluation in tag attributes. The issue arises when untrusted input is evaluated via %{...}, enabling double OGNL evaluation and potentially remote code execution. Affected products span Apache ...
CVE-2011-3923
CVE-2011-3923 affects Apache Struts 2 prior to 2.3.1.2, where a flaw in the ParameterInterceptor allows untrusted input to be treated as OGNL expressions, bypassing protections and enabling remote command execution. Public details indicate the vulnerability enables an attacker to execute arbitrar...
CVE-2016-3081
CVE-2016-3081 concerns Apache Struts 2.x where Dynamic Method Invocation (DMI) is enabled. Affected ranges include 2.3.19–2.3.20.2, 2.3.21–2.3.24.1, and 2.3.25–2.3.28; exploitation via the method: prefix with chained expressions allows remote code execution. Exploit references exist (e.g., Exploi...
CVE-2013-2134
CVE-2013-2134: Apache Struts 2 before 2.3.14.3 allows remote OGNL code execution through a crafted action name during wildcard matching. IBM and other bulletins link this family of Struts vulnerabilities to exposed management interfaces and unauthorized access risks, with remediation typically de...
CVE-2016-4438
CVE-2016-4438 affects Apache Struts 2 REST plugin. The REST plugin in Struts 2 versions 2.3.19 through 2.3.28.1 is vulnerable to remote code execution via a crafted OGNL expression due to improper handling of OGNL expressions. The vulnerability could allow an attacker to execute arbitrary code on...
CVE-2013-1966
CVE-2013-1966 (and related Struts 2 OGNL flaws) enables remote code execution via crafted requests that abuse includeParams handling in the URL or A tag. Public docs in IBM advisories note affected IBM products (e.g., Sterling Order Management, Storwize Unified GUI/Storwize platforms) and specify...
CVE-2013-1965
CVE-2013-1965 affects Apache Struts 2, specifically the Struts Showcase App 2.0.0 through 2.3.13 (Struts 2 before 2.3.14.3). The vulnerability allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is mishandled during a redirect, enabling remote code execution o...
CVE-2013-2115
CVE-2013-2115 is an Apache Struts 2 remote code execution vulnerability. It allows an attacker to run OGNL code by sending a crafted request that is mishandled when includeParams is used in either the URL or an A tag, stemming from an incomplete fix for CVE-2013-1966. Connected IBM advisories ind...
CVE-2016-6795
CVE-2016-6795 affects Apache Struts 2, specifically the Convention plugin in Struts 2.3.x prior to 2.3.31 and 2.5.x prior to 2.5.5. The issue permits an attacker to craft a special URL that enables path traversal and execution of arbitrary code on the server side. According to NVD, the CVSS v2 ba...
CVE-2016-3087
CVE-2016-3087 affects Apache Struts 2.x when Dynamic Method Invocation is enabled and the REST Plugin is used. The vulnerability allows remote code execution via vectors related to the ! (exclamation mark) operator. Affected versions include Struts 2.3.20.x before 2.3.20.3, 2.3.24.x before 2.3.24...
CVE-2013-2135
CVE-2013-2135 affects Apache Struts 2 prior to 2.3.14.3, allowing remote execution via OGNL when a crafted value contains both "${}" and "%{}" sequences that cause double evaluation. The issue is documented in multiple sources (S2-015) and is tied to how includeParams is handled in certain reques...
CVE-2016-0785
CVE-2016-0785 affects Apache Struts 2.x; vulnerability arises from a double OGNL evaluation in tag attributes (forced OGNL). Affected versions include Struts 2.x before 2.3.29 (with references across IBM advisories and OSVs). Exploitation status is not detailed in the provided documents. Remediat...
CVE-2016-4436
Summary of CVE-2016-4436 : Apache Struts 2 is affected by an unspecified impact vulnerability due to improper action name cleanup. The CVE entry covers versions 2.3. before 2.3.29 and 2.5.x before 2.5.1. Connected IBM and IBM-related advisories explicitly reference this CVE and reiterate that upg...
CVE-2016-4461
CVE-2016-4461: Apache Struts vulnerability causing remote code execution via forced double OGNL evaluation. IBM/security bulletins show affected IBM FlashSystem products (V840, V900, Storwize/SAN volumes) with vulnerable VRMFs and the need to upgrade to fixed code levels. IBM Bulletins list affec...