Moderate severityNVD Advisory· Published Mar 23, 2009· Updated Apr 23, 2026
CVE-2008-6505
CVE-2008-6505
Description
Multiple directory traversal vulnerabilities in Apache Struts 2.0.x before 2.0.12 and 2.1.x before 2.1.3 allow remote attackers to read arbitrary files via a ..%252f (encoded dot dot slash) in a URI with a /struts/ path, related to (1) FilterDispatcher in 2.0.x and (2) DefaultStaticContentLoader in 2.1.x.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.struts:struts2-coreMaven | >= 2.0.0, < 2.0.12 | 2.0.12 |
org.apache.struts:struts2-coreMaven | >= 2.1.0, < 2.1.3 | 2.1.3 |
Affected products
7cpe:2.3:a:apache:struts:2.0.11:*:*:*:*:*:*:*+ 6 more
- cpe:2.3:a:apache:struts:2.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.0.11.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.0.11.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.1.2_beta:*:*:*:*:*:*:*
Patches
21f1c996eb1f0WW-2779 Directory traversal vulnerability while serving static content
1 file changed · +24 −0
core/src/test/java/org/apache/struts2/dispatcher/StaticContentLoaderTest.java+24 −0 modified@@ -69,6 +69,30 @@ public void testInvalidRersources1() throws IOException { assertEquals(0, res.getContentLength()); } + public void testInvalidRersources2() throws IOException { + contentLoader.findStaticResource("/struts/..", req, res); + assertEquals(HttpServletResponse.SC_NOT_FOUND, res.getStatus()); + assertEquals(0, res.getContentLength()); + } + + public void testInvalidRersources3() throws IOException { + contentLoader.findStaticResource("/struts/../othertest.properties", req, res); + assertEquals(HttpServletResponse.SC_NOT_FOUND, res.getStatus()); + assertEquals(0, res.getContentLength()); + } + + public void testInvalidRersources4() throws IOException { + contentLoader.findStaticResource("/struts/..%252f", req, res); + assertEquals(HttpServletResponse.SC_NOT_FOUND, res.getStatus()); + assertEquals(0, res.getContentLength()); + } + + public void testInvalidRersources5() throws IOException { + contentLoader.findStaticResource("/struts/..%252fothertest.properties", req, res); + assertEquals(HttpServletResponse.SC_NOT_FOUND, res.getStatus()); + assertEquals(0, res.getContentLength()); + } + @Override protected void setUp() throws Exception { super.setUp();
04fcefa44baeWW-2779 Directory traversal vulnerability while serving static content
2 files changed · +20 −9
core/src/main/java/org/apache/struts2/dispatcher/DefaultStaticContentLoader.java+18 −6 modified@@ -24,13 +24,13 @@ import java.io.InputStream; import java.io.OutputStream; import java.io.UnsupportedEncodingException; +import java.net.URL; import java.net.URLDecoder; import java.util.ArrayList; import java.util.Calendar; import java.util.List; import java.util.StringTokenizer; -import javax.servlet.FilterConfig; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @@ -161,9 +161,21 @@ protected String[] parse(String packages) { public void findStaticResource(String path, HttpServletRequest request, HttpServletResponse response) throws IOException { String name = cleanupPath(path); - if (!name.endsWith(".class")) { - for (String pathPrefix : pathPrefixes) { - InputStream is = findInputStream(buildPath(name, pathPrefix)); + for (String pathPrefix : pathPrefixes) { + URL resourceUrl = findResource(buildPath(name, pathPrefix)); + if (resourceUrl != null) { + InputStream is = null; + try { + //check that the resource path is under the pathPrefix path + String pathEnding = buildPath(name, pathPrefix); + if (resourceUrl.getFile().endsWith(pathEnding)) + is = resourceUrl.openStream(); + } catch (Exception ex) { + // just ignore it + continue; + } + + //not inside the try block, as this could throw IOExceptions also if (is != null) { process(is, path, request, response); return; @@ -258,8 +270,8 @@ private void initLogging(HostConfig filterConfig) { * @return The inputstream of the resource * @throws IOException If there is a problem locating the resource */ - protected InputStream findInputStream(String path) throws IOException { - return ClassLoaderUtil.getResourceAsStream(path, getClass()); + protected URL findResource(String path) throws IOException { + return ClassLoaderUtil.getResource(path, getClass()); } /**
core/src/main/java/org/apache/struts2/dispatcher/StaticContentLoader.java+2 −3 modified@@ -20,14 +20,13 @@ */ package org.apache.struts2.dispatcher; -import org.apache.struts2.dispatcher.ng.HostConfig; - import java.io.IOException; -import javax.servlet.FilterConfig; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.apache.struts2.dispatcher.ng.HostConfig; + /** * Interface for loading static resources, based on a path *
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
13- secunia.com/advisories/32497nvdVendor Advisory
- struts.apache.org/2.x/docs/s2-004.htmlnvdVendor AdvisoryWEB
- www.securityfocus.com/bid/32104nvdVendor Advisory
- www.vupen.com/english/advisories/2008/3003nvdVendor Advisory
- github.com/advisories/GHSA-wv7g-xhvw-8hcpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2008-6505ghsaADVISORY
- issues.apache.org/struts/browse/WW-2779nvdWEB
- github.com/apache/struts/commit/04fcefa44bae1263c7cad6986a9dafed67f0164fghsaWEB
- github.com/apache/struts/commit/1f1c996eb1f0f3e2193fba0075f62ccd04e3c0c3ghsaWEB
- web.archive.org/web/20081208214512/http://secunia.com/advisories/32497ghsaWEB
- web.archive.org/web/20111025094319/http://www.securityfocus.com/bid/32104ghsaWEB
- osvdb.org/49733nvd
- osvdb.org/49734nvd
News mentions
0No linked articles in our index yet.