Critical severity9.8NVD Advisory· Published Sep 20, 2017· Updated May 13, 2026

CVE-2016-6795

Description

In the Convention plugin in Apache Struts 2.3.x before 2.3.31, and 2.5.x before 2.5.5, it is possible to prepare a special URL which will be used for path traversal and execution of arbitrary code on server side.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.struts:struts2-convention-pluginMaven	>= 2.3.0, < 2.3.31	2.3.31
org.apache.struts:struts2-convention-pluginMaven	>= 2.5.0, < 2.5.5	2.5.5

Affected products

Apache Software Foundation/Apache Strutsv5
Range: 2.3.x before 2.3.31

Patches

c1869f498994

Adds double check if resource exists

https://github.com/apache/strutsLukasz LenartAug 17, 2016via ghsa

commit

1 file changed · +12 −4

plugins/convention/src/main/java/org/apache/struts2/convention/ConventionUnknownHandler.java+12 −4 modified

@@ -36,6 +36,12 @@
 import javax.servlet.ServletContext;
 import java.net.MalformedURLException;
 import java.util.*;
+import java.net.URL;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.LinkedHashMap;
+import java.util.List;
+import java.util.Map;
 
 /**
  * <p>
@@ -313,16 +319,18 @@ protected Result findResult(String path, String resultCode, String ext, ActionCo
         try {
             LOG.trace("Checking ServletContext for {}", path);
 
-            if (servletContext.getResource(path) != null) {
-                LOG.trace("Found");
+            URL resource = servletContext.getResource(path);
+            if (resource != null && resource.getPath().endsWith(path)) {
+                LOG.trace("Found resource {}", resource);
                 return buildResult(path, resultCode, resultsByExtension.get(ext), actionContext);
             }
 
             LOG.trace("Checking ClassLoader for {}", path);
 
             String classLoaderPath = path.startsWith("/") ? path.substring(1, path.length()) : path;
-            if (ClassLoaderUtil.getResource(classLoaderPath, getClass()) != null) {
-                LOG.trace("Found");
+            resource = ClassLoaderUtil.getResource(classLoaderPath, getClass());
+            if (resource != null && resource.getPath().endsWith(classLoaderPath)) {
+                LOG.trace("Found resource {}", resource);
                 return buildResult(path, resultCode, resultsByExtension.get(ext), actionContext);
             }
         } catch (MalformedURLException e) {

8e67b9144aa6

Adds double check if resource exists

https://github.com/apache/strutsLukasz LenartAug 17, 2016via ghsa

commit

1 file changed · +18 −10

plugins/convention/src/main/java/org/apache/struts2/convention/ConventionUnknownHandler.java+18 −10 modified

@@ -43,6 +43,7 @@
 
 import javax.servlet.ServletContext;
 import java.net.MalformedURLException;
+import java.net.URL;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.LinkedHashMap;
@@ -332,27 +333,34 @@ protected Result findResult(String path, String resultCode, String ext, ActionCo
                                 Map<String, ResultTypeConfig> resultsByExtension) {
         try {
             boolean traceEnabled = LOG.isTraceEnabled();
-            if (traceEnabled)
+            if (traceEnabled) {
                 LOG.trace("Checking ServletContext for [#0]", path);
+            }
 
-            if (servletContext.getResource(path) != null) {
-                if (traceEnabled)
-                    LOG.trace("Found");
+            URL resource = servletContext.getResource(path);
+            if (resource != null && resource.getPath().endsWith(path)) {
+                if (traceEnabled) {
+                    LOG.trace("Found resource #0", resource);
+                }
                 return buildResult(path, resultCode, resultsByExtension.get(ext), actionContext);
             }
 
-            if (traceEnabled)
-                LOG.trace("Checking ClasLoader for #0", path);
+            if (traceEnabled) {
+                LOG.trace("Checking ClassLoader for #0", path);
+            }
 
             String classLoaderPath = path.startsWith("/") ? path.substring(1, path.length()) : path;
-            if (ClassLoaderUtil.getResource(classLoaderPath, getClass()) != null) {
-                if (traceEnabled)
-                    LOG.trace("Found");
+            resource = ClassLoaderUtil.getResource(classLoaderPath, getClass());
+            if (resource != null && resource.getPath().endsWith(classLoaderPath)) {
+                if (traceEnabled) {
+                    LOG.trace("Found resource #0", resource);
+                }
                 return buildResult(path, resultCode, resultsByExtension.get(ext), actionContext);
             }
         } catch (MalformedURLException e) {
-            if (LOG.isErrorEnabled())
+            if (LOG.isErrorEnabled()) {
                 LOG.error("Unable to parse template path: [#0] skipping...", path);
+            }
         }
 
         return null;

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

www.securityfocus.com/bid/93773nvdThird Party AdvisoryVDB Entry
github.com/advisories/GHSA-44hv-jjx7-qfjgghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2016-6795ghsaADVISORY
struts.apache.org/docs/s2-042.htmlnvdVendor AdvisoryWEB
github.com/apache/struts/commit/8e67b9144aa643769b261e2492cb561e04d016abghsaWEB
github.com/apache/struts/commit/c1869f4989942dd33fa4e189e0ac1f766fb5ac14ghsaWEB
security.netapp.com/advisory/ntap-20180629-0003ghsaWEB
web.archive.org/web/20200227214705/http://www.securityfocus.com/bid/93773ghsaWEB
security.netapp.com/advisory/ntap-20180629-0003/nvd

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.004
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000