High severity8.1CISA KEVNVD Advisory· Published Aug 22, 2018· Updated Jun 17, 2026
CVE-2018-11776
CVE-2018-11776
Description
Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.struts:struts2-coreMaven | >= 2.0.4, < 2.3.35 | 2.3.35 |
org.apache.struts:struts2-coreMaven | >= 2.5, < 2.5.17 | 2.5.17 |
Affected products
2Patches
Vulnerability mechanics
References
31- www.oracle.com/technetwork/security-advisory/alert-cve-2018-11776-5072787.htmlnvdPatchThird Party AdvisoryWEB
- www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlnvdPatchThird Party AdvisoryWEB
- www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlnvdPatchThird Party AdvisoryWEB
- lgtm.com/blog/apache_struts_CVE-2018-11776nvdExploitThird Party AdvisoryWEB
- www.exploit-db.com/exploits/45260/nvdExploitThird Party AdvisoryVDB Entry
- www.exploit-db.com/exploits/45262/nvdExploitThird Party AdvisoryVDB Entry
- www.exploit-db.com/exploits/45367/nvdExploitThird Party AdvisoryVDB Entry
- packetstormsecurity.com/files/172830/Apache-Struts-Remote-Code-Execution.htmlnvdThird Party AdvisoryVDB EntryWEB
- www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-005.txtnvdBroken LinkMailing ListThird Party AdvisoryWEB
- www.securityfocus.com/bid/105125nvdBroken LinkThird Party AdvisoryVDB EntryWEB
- www.securitytracker.com/id/1041547nvdBroken LinkThird Party AdvisoryVDB EntryWEB
- www.securitytracker.com/id/1041888nvdBroken LinkThird Party AdvisoryVDB EntryWEB
- cwiki.apache.org/confluence/display/WW/S2-057nvdIssue TrackingThird Party AdvisoryWEB
- github.com/advisories/GHSA-cr6j-3jp9-rw65ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-11776ghsaADVISORY
- psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0012nvdThird Party AdvisoryWEB
- security.netapp.com/advisory/ntap-20180822-0001/nvdThird Party Advisory
- security.netapp.com/advisory/ntap-20181018-0002/nvdThird Party Advisory
- www.oracle.com/security-alerts/cpujul2020.htmlnvdThird Party AdvisoryWEB
- github.com/apache/struts/commit/6e87474f9ad0549f07dd2c37d50a9ccd0977c6eghsaWEB
- lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3EnvdMailing ListWEB
- lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3EghsaWEB
- security.netapp.com/advisory/ntap-20180822-0001ghsaWEB
- security.netapp.com/advisory/ntap-20181018-0002ghsaWEB
- web.archive.org/web/20180822160726/http://www.securityfocus.com/bid/105125ghsaWEB
- web.archive.org/web/20200807025819/http://www.securitytracker.com/id/1041888ghsaWEB
- web.archive.org/web/20201208145803/https://securitytracker.com/id/1041547ghsaWEB
- www.cisa.gov/known-exploited-vulnerabilities-catalognvdUS Government ResourceWEB
- www.exploit-db.com/exploits/45260ghsaWEB
- www.exploit-db.com/exploits/45262ghsaWEB
- www.exploit-db.com/exploits/45367ghsaWEB
News mentions
0No linked articles in our index yet.