VYPR
Get started
← All advisories
Critical severity9.8NVD Advisory· Published Jul 4, 2016· Updated May 6, 2026

CVE-2016-4438

CVE-2016-4438

Description

The REST plugin in Apache Struts 2 2.3.19 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.struts:struts2-coreMaven
>= 2.3.19, < 2.3.292.3.29
org.apache.struts:struts2-rest-pluginMaven
>= 2.3.19, < 2.3.292.3.29

Affected products

7
  • Apache/Struts7 versions
    cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:*+ 6 more
    • cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:struts:2.3.20.3:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:struts:2.3.24:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:struts:2.3.24.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:struts:2.3.24.3:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:struts:2.3.28:*:*:*:*:*:*:*

Patches

4
6d7ac40dcede

Cleans up method name

https://github.com/apache/strutsLukasz LenartApr 29, 2016via ghsa
commit
1 file changed · +1 1
  • plugins/rest/src/main/java/org/apache/struts2/rest/RestActionMapper.java+1 1 modified
    @@ -320,7 +320,7 @@ private void handleDynamicMethodInvocation(ActionMapping mapping, String name) {
 
             mapping.setName(actionName);
             if (allowDynamicMethodCalls) {
-                mapping.setMethod(actionMethod);
+                mapping.setMethod(cleanupActionName(actionMethod));
             } else {
                 mapping.setMethod(null);
             }
76eb8f38a33a

Cleans up method name

https://github.com/apache/strutsLukasz LenartApr 29, 2016via ghsa
commit
1 file changed · +1 1
  • plugins/rest/src/main/java/org/apache/struts2/rest/RestActionMapper.java+1 1 modified
    @@ -311,7 +311,7 @@ private void handleDynamicMethodInvocation(ActionMapping mapping, String name) {
 
             mapping.setName(actionName);
             if (allowDynamicMethodCalls) {
-                mapping.setMethod(actionMethod);
+                mapping.setMethod(cleanupActionName(actionMethod));
             } else {
                 mapping.setMethod(null);
             }
deefeffd1142

Cleans up method name

https://github.com/apache/strutsLukasz LenartApr 19, 2016via ghsa
commit
1 file changed · +4 4
  • core/src/main/java/org/apache/struts2/dispatcher/mapper/DefaultActionMapper.java+4 4 modified
    @@ -136,7 +136,7 @@ public DefaultActionMapper() {
                 put(METHOD_PREFIX, new ParameterAction() {
                     public void execute(String key, ActionMapping mapping) {
                         if (allowDynamicMethodCalls) {
-                            mapping.setMethod(key.substring(METHOD_PREFIX.length()));
+                            mapping.setMethod(cleanupActionName(key.substring(METHOD_PREFIX.length())));
                         }
                     }
                 });
@@ -148,7 +148,7 @@ public void execute(final String key, ActionMapping mapping) {
                             if (allowDynamicMethodCalls) {
                                 int bang = name.indexOf('!');
                                 if (bang != -1) {
-                                    String method = name.substring(bang + 1);
+                                    String method = cleanupActionName(name.substring(bang + 1));
                                     mapping.setMethod(method);
                                     name = name.substring(0, bang);
                                 }
@@ -385,15 +385,15 @@ protected String cleanupActionName(final String rawActionName) {
             return rawActionName;
         } else {
             if (LOG.isWarnEnabled()) {
-                LOG.warn("Action [#0] does not match allowed action names pattern [#1], cleaning it up!",
+                LOG.warn("Action/method [#0] does not match allowed action names pattern [#1], cleaning it up!",
                         rawActionName, allowedActionNames);
             }
             String cleanActionName = rawActionName;
             for (String chunk : allowedActionNames.split(rawActionName)) {
                 cleanActionName = cleanActionName.replace(chunk, "");
             }
             if (LOG.isDebugEnabled()) {
-                LOG.debug("Cleaned action name [#0]", cleanActionName);
+                LOG.debug("Cleaned action/method name [#0]", cleanActionName);
             }
             return cleanActionName;
         }
c9c21378f2fb

Cleans up method name

https://github.com/apache/strutsLukasz LenartApr 19, 2016via ghsa
commit
1 file changed · +2 2
  • core/src/main/java/org/apache/struts2/dispatcher/mapper/DefaultActionMapper.java+2 2 modified
    @@ -136,7 +136,7 @@ public DefaultActionMapper() {
                 put(METHOD_PREFIX, new ParameterAction() {
                     public void execute(String key, ActionMapping mapping) {
                         if (allowDynamicMethodCalls) {
-                            mapping.setMethod(key.substring(METHOD_PREFIX.length()));
+                            mapping.setMethod(cleanupActionName(key.substring(METHOD_PREFIX.length())));
                         }
                     }
                 });
@@ -148,7 +148,7 @@ public void execute(final String key, ActionMapping mapping) {
                             if (allowDynamicMethodCalls) {
                                 int bang = name.indexOf('!');
                                 if (bang != -1) {
-                                    String method = name.substring(bang + 1);
+                                    String method = cleanupActionName(name.substring(bang + 1));
                                     mapping.setMethod(method);
                                     name = name.substring(0, bang);
                                 }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

12

News mentions

0

No linked articles in our index yet.