Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible
Remote Code Execution when alwaysSelectFullNamespace is true (either by
user or a plugin like Convention Plugin) and then: results are used with no
namespace and in same time, its upper package have no or wildcard namespace
and similar to results, same possibility when using url tag which doesn’t
have value and action set and in same time, its upper package have no or
wildcard namespace.

References

www.securitytracker.com/id/1041547

cwiki.apache.org/confluence/display/WW/S2-057

launchpad.net/bugs/cve/CVE-2018-11776

nvd.nist.gov/vuln/detail/CVE-2018-11776

security-tracker.debian.org/tracker/CVE-2018-11776

security.netapp.com/advisory/ntap-20180822-0001/

www.cve.org/CVERecord?id=CVE-2018-11776

packetstorm 3

myhack58 3

threatpost 20

osv 2

checkpoint_advisories 1

ibm 8

github 2

f5 1

openvas 3

nessus 7

akamaiblog 1

prion 1

zdt 4

veracode 1

krebs 1

attackerkb 3

impervablog 2

cve 1

cisa_kev 1

trendmicroblog 1

exploitpack 1

dsquare 1

redhatcve 1

qualysblog 3

metasploit 1

talosblog 1

cisco 1

kitploit 5

nuclei 1

exploitdb 2

githubexploit 3

thn 3

rapid7blog 1

fireeye 1

oracle 3

packetstorm

Apache Struts 2.3 / 2.5 Remote Code Execution

2018-08-25 00:00:00

Apache Struts 2.3 / 2.5 Remote Code Execution

2018-08-26 00:00:00

Apache Struts 2 Namespace Redirect OGNL Injection

2018-09-07 00:00:00

myhack58

Apache Struts2 S2-057 vulnerability analysis and early warning-vulnerability warning-the black bar safety net

2018-08-23 00:00:00

Apache Struts OGNL injection vulnerability principle with an example-vulnerability warning-the black bar safety net

2019-03-30 00:00:00

S2-057 vulnerability in the original author's README: how to use automated tools find 5 RCE-vulnerability warning-the black bar safety net

2018-08-23 00:00:00

threatpost

Five OAuth Bugs Lead to Github Hack

2014-02-11 10:53:58

PoC Code Surfaces to Exploit Apache Struts 2 Vulnerability

2018-08-24 22:07:17

Breached Credentials Used to Access Github Repositories

2016-06-17 11:01:55

osv

CVE-2018-11776

2018-08-22 13:29:00

Apache Struts vulnerable to remote command execution (RCE) due to improper input validation

2018-10-18 19:24:38

checkpoint_advisories

Apache Struts Remote Code Execution (CVE-2018-11776)

2018-08-23 00:00:00

ibm

Security Bulletin: A vulnerability in Apache Struts affects the IBM FlashSystem 840 and 900

2023-02-18 01:45:50

Security Bulletin: IBM Security Guardium is affected by a Publicly disclosed Apache Struts vulnerability

2018-09-28 04:30:01

Security Bulletin: A vulnerability in Apache Struts affects the IBM FlashSystem V840

2019-02-18 15:05:01

github

Apache Struts vulnerable to remote command execution (RCE) due to improper input validation

2018-10-18 19:24:38

Bypassing OGNL sandboxes for fun and charities

2023-01-27 16:00:49

K60499474 : Apache Struts vulnerability CVE-2018-11776

2018-08-24 00:00:00

openvas

Apache Struts2 Remote Code Execution Vulnerability (S2-057)

2018-08-23 00:00:00

Huawei Data Communication: Apache Struts2 S2-057 Remote Code Execution Vulnerability in Some Huawei Products (huawei-sa-20181121-01-struts2)

2020-06-05 00:00:00

Apache Struts2 Remote Code Execution Vulnerability (S2-057) (Active Check)

2018-08-27 00:00:00

nessus

Apache Struts CVE-2018-11776 Results With No Namespace Possible Remote Code Execution (S2-057)

2018-08-22 00:00:00

Cisco Identity Services Engine Struts2 Namespace Vulnerability

2018-08-31 00:00:00

Cisco Unified Communications Manager IM & Presence Service Apache Struts RCE (CSCvm14049)

2018-09-05 00:00:00

akamaiblog

Web Application and API Protection -- From SQL Injection to Magecart

2020-09-09 13:00:00

prion

Remote code execution

2018-08-22 13:29:00

zdt

Apache Struts 2.x Remote Code Execution Vulnerability

2018-08-24 00:00:00

Apache Struts 2.3 < 2.3.34 / 2.5 < 2.5.16 - Remote Code Execution (1) Exploit

2018-08-28 00:00:00

Apache Struts 2.3 < 2.3.34 / 2.5 < 2.5.16 - Remote Code Execution (2) Exploit

2018-08-28 00:00:00

veracode

Remote Code Execution (RCE)

2018-08-22 17:36:38

krebs

Experts Urge Rapid Patching of ‘Struts’ Bug

2018-08-23 20:22:35

attackerkb

CVE-2018-11776

2018-08-22 00:00:00

CVE-2019-0230

2020-09-14 00:00:00

CVE-2022-26134

2022-07-13 00:00:00

impervablog

Read: Apache Struts Patches ‘Critical Vulnerability’ CVE-2018-11776

2018-08-23 14:25:36

The World’s Most Popular Coding Language Happens to be Most Hackers’ Weapon of Choice

2018-09-26 16:18:36

cve

CVE-2018-11776

2018-08-22 13:29:00

cisa_kev

Apache Struts Remote Code Execution Vulnerability

2021-11-03 00:00:00

trendmicroblog

Server Security for the Modern IT Ecosystem

2019-01-03 15:30:46

exploitpack

Apache Struts 2.3 2.3.34 2.5 2.5.16 - Remote Code Execution (1)

2018-08-26 00:00:00

dsquare

Apache Struts 2 Multiple Tags Result Namespace Handling RCE

2018-10-20 00:00:00

redhatcve

CVE-2018-11776

2018-08-22 08:49:33

qualysblog

Security News: Hackers Aim Ransomware at Big Cos., as Experts Call for Swift Patching of Struts Bug

2018-08-27 18:32:33

Detecting Apache Struts 2 Namespace RCE: CVE-2018-11776

2018-08-23 20:27:19

Managing CISA Known Exploited Vulnerabilities with Qualys VMDR

2022-02-23 05:39:00

metasploit

Apache Struts 2 Namespace Redirect OGNL Injection

2018-08-31 18:48:22

talosblog

Connecting the dots between recently active cryptominers

2018-12-18 08:33:00

cisco

Apache Struts Remote Code Execution Vulnerability Affecting Cisco Products: August 2018

2018-08-23 20:00:00

kitploit

Mitaka - A Browser Extension For OSINT Search

2019-09-21 12:00:00

Apache Struts v3 - Tool To Exploit 3 RCE Vulnerabilities On ApacheStruts

2018-08-26 21:14:00

Sn1per v7.0 - Automated Pentest Framework For Offensive Security Experts

2019-05-12 13:09:00

nuclei

Apache Struts2 S2-057 - Remote Code Execution

2021-02-24 04:29:30

exploitdb

Apache Struts 2 - Namespace Redirect OGNL Injection (Metasploit)

2018-09-10 00:00:00

Apache Struts 2.3 < 2.3.34 / 2.5 < 2.5.16 - Remote Code Execution (1)

2018-08-26 00:00:00

githubexploit

Exploit for Injection in Atlassian Confluence

2021-10-06 23:24:24

Exploit for Injection in Atlassian Confluence

2021-10-06 23:24:24

Exploit for Injection in Atlassian Confluence

2021-10-06 23:24:24

thn

Cisco Issues Security Patch Updates for 32 Flaws in its Products

2018-09-06 08:45:00

New Apache Struts RCE Flaw Lets Hackers Take Over Web Servers

2018-08-22 14:04:00

Top 15 Vulnerabilities Attackers Exploited Millions of Times to Hack Linux Systems

2021-08-23 13:27:00

rapid7blog

Active Exploitation of Confluence CVE-2022-26134

2022-06-02 23:27:15

fireeye

Think Fast: Time Between Disclosure, Patch Release and Vulnerability Exploitation — Intelligence for Vulnerability Management, Part Two

2020-04-13 00:00:00

oracle

Oracle Critical Patch Update Advisory - January 2019

2019-01-15 00:00:00

Oracle Critical Patch Update - October 2018

2018-12-18 00:00:00

Oracle Critical Patch Update Advisory - July 2020

2020-07-14 00:00:00

Products

Security Intelligence
Non-intrusive assessment
Developers SDK
Windows scanner
Linux scanner
Perimeter control tool
MSSP

Database

Vulnerabilities
Exploits
IOC
Security News
BugBounty
Popular
Wild Exploited
Top Vulnerabilities

Tools

Linux Security Scanner
API integration
Subscriptions
Plugins
Manual Audit

Learn More

Stats
API
Docs
Api-keys
License
Pricing
Glossary
FAQ

Company

Blog
Contacts
About Us
OpenSource
EULA
Brand Guideline
Privacy Policy

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply. All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.If you are an owner of some content and want it to be removed, please contact us. Using Vulners services you are accepting Vulners services end-user license agreement

@2024 Vulners Inc

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.975 High

EPSS

Percentile

100.0%

JSON

Related for UB:CVE-2018-11776