Medium severity5.9NVD Advisory· Published Sep 20, 2017· Updated Jun 17, 2026
CVE-2016-8738
CVE-2016-8738
Description
In Apache Struts 2.5 through 2.5.5, if an application allows entering a URL in a form field and the built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.struts:struts2-coreMaven | >= 2.5.0, < 2.5.13 | 2.5.13 |
Affected products
8cpe:2.3:a:apache:struts:2.5:*:*:*:*:*:*:*+ 6 more
- cpe:2.3:a:apache:struts:2.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.5.5:*:*:*:*:*:*:*
- (no CPE)range: 2.5 - 2.5.5
Patches
Vulnerability mechanics
References
7- struts.apache.org/docs/s2-044.htmlnvdMitigationPatchVendor AdvisoryWEB
- www.securityfocus.com/bid/94657nvdThird Party AdvisoryVDB Entry
- github.com/advisories/GHSA-86vq-8qhc-5rqwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-8738ghsaADVISORY
- github.com/apache/struts/commit/554b9dddb0fbd1e581ef577dd62a7c22955ad0f6ghsaWEB
- security.netapp.com/advisory/ntap-20180629-0003ghsaWEB
- security.netapp.com/advisory/ntap-20180629-0003/nvd
News mentions
0No linked articles in our index yet.