VYPR

Maven package

org.apache.struts/struts2-core

pkg:maven/org.apache.struts/struts2-core

Vulnerabilities (60)

  • CVE-2016-8738MedSep 20, 2017
    affected >= 2.5.0, < 2.5.13fixed 2.5.13

    In Apache Struts 2.5 through 2.5.5, if an application allows entering a URL in a form field and the built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.

  • CVE-2015-5209HigAug 29, 2017
    affected < 2.3.24.1fixed 2.3.24.1

    Apache Struts 2.x before 2.3.24.1 allows remote attackers to manipulate Struts internals, alter user sessions, or affect container settings via vectors involving a top object.

  • CVE-2017-9787HigJul 13, 2017
    affected >= 2.3.7, < 2.3.33fixed 2.3.33

    When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack. Solution is to upgrade to Apache Struts version 2.5.12 or 2.3.33.

  • CVE-2017-7672MedJul 13, 2017
    affected >= 2.5.0, < 2.5.12fixed 2.5.12

    If an application allows enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. Solution is to upgrade to Apache Struts version 2.5.12.

  • CVE-2017-5638CriKEVMar 11, 2017
    affected >= 2.3.0, < 2.3.32fixed 2.3.32

    The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content

  • CVE-2016-4436CriOct 3, 2016
    affected >= 2.0.0, < 2.3.29fixed 2.3.29

    Apache Struts 2 before 2.3.29 and 2.5.x before 2.5.1 allow attackers to have unspecified impact via vectors related to improper action name clean up.

  • CVE-2016-4465MedJul 4, 2016
    affected >= 2.3.20, < 2.3.29fixed 2.3.29

    The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field.

  • CVE-2016-4438CriJul 4, 2016
    affected >= 2.3.19, < 2.3.29fixed 2.3.29

    The REST plugin in Apache Struts 2 2.3.19 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression.

  • CVE-2016-3093MedJun 7, 2016
    affected >= 2.0.0, < 2.3.24.3fixed 2.3.24.3

    Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors.

  • CVE-2016-3087CriJun 7, 2016
    affected >= 2.3.19, < 2.3.20.3fixed 2.3.20.3

    Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an ! (exclamation mark) operator to the REST Plugin.

  • CVE-2016-3082CriApr 26, 2016
    affected < 2.3.20.3fixed 2.3.20.3

    XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter.

  • CVE-2016-3081HigApr 26, 2016
    affected >= 2.3.19, < 2.3.20.3fixed 2.3.20.3

    Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.

  • CVE-2016-4003MedApr 12, 2016
    affected >= 2.0.0, < 2.3.28fixed 2.3.28

    Cross-site scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via multi-byte characters in a url-encoded par

  • CVE-2016-2162MedApr 12, 2016
    affected >= 2.0.0, < 2.3.28fixed 2.3.28

    Apache Struts 2.x before 2.3.25 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors involving language display.

  • CVE-2016-0785HigApr 12, 2016
    affected >= 2.0.0, < 2.3.20.3fixed 2.3.20.3

    Apache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation.

  • CVE-2015-1831Jul 16, 2015
    affected >= 2.0.0, < 2.3.20.1fixed 2.3.20.1

    The default exclude patterns (excludeParams) in Apache Struts 2.3.20 allow remote attackers to "compromise internal state of an application" via unspecified vectors.

  • CVE-2014-7809Dec 10, 2014
    affected < 2.3.20fixed 2.3.20

    Apache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable <s:token/> values, which allows remote attackers to bypass the CSRF protection mechanism.

  • CVE-2014-0116May 8, 2014
    affected < 2.3.20fixed 2.3.20

    CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and modify session state via a crafted request. NOTE: this vuln

  • CVE-2014-0113Apr 29, 2014
    affected < 2.3.20fixed 2.3.20

    CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulner

  • CVE-2014-0112Apr 29, 2014
    affected < 2.3.20fixed 2.3.20

    ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete

Page 2 of 3