Maven package
org.apache.struts/struts2-core
pkg:maven/org.apache.struts/struts2-core
Vulnerabilities (60)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2014-0094 | — | >= 2.0.0, < 2.3.16.2 | 2.3.16.2 | Mar 11, 2014 | The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method. | ||
| CVE-2013-6348 | — | < 2.3.16 | 2.3.16 | Nov 2, 2013 | Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.3.15.3 allow remote attackers to inject arbitrary web script or HTML via the namespace parameter to (1) actionNames.action and (2) showConfig.action in config-browser/. | ||
| CVE-2013-4316 | — | >= 2.0.0, < 2.3.15.2 | 2.3.15.2 | Sep 30, 2013 | Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors. | ||
| CVE-2013-4310 | — | < 2.3.15.3 | 2.3.15.3 | Sep 30, 2013 | Apache Struts 2.0.0 through 2.3.15.1 allows remote attackers to bypass access controls via a crafted action: prefix. | ||
| CVE-2013-2251 | Cri | 9.8 | KEV | < 2.3.15.1 | 2.3.15.1 | Jul 20, 2013 | Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix. |
| CVE-2013-2248 | — | < 2.3.15.1 | 2.3.15.1 | Jul 20, 2013 | Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a parameter using the (1) redirect: or (2) redirectAction: prefix. | ||
| CVE-2013-2135 | — | >= 2.0.0, < 2.3.14.3 | 2.3.14.3 | Jul 16, 2013 | Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to be evaluated twice. | ||
| CVE-2013-2134 | — | >= 2.0.0, < 2.3.14.3 | 2.3.14.3 | Jul 16, 2013 | Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135. | ||
| CVE-2013-2115 | Hig | 8.1 | >= 2.0.0, < 2.3.14.2 | 2.3.14.2 | Jul 10, 2013 | Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. NOTE: this issue is due to an incomplete fix for CVE-2013-1966. | |
| CVE-2013-1966 | — | >= 2.0.0, < 2.3.14.2 | 2.3.14.2 | Jul 10, 2013 | Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. | ||
| CVE-2013-1965 | — | < 2.3.14.3 | 2.3.14.3 | Jul 10, 2013 | Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect. | ||
| CVE-2012-4386 | — | >= 2.0.0, < 2.3.4.1 | 2.3.4.1 | Sep 5, 2012 | The token check mechanism in Apache Struts 2.0.0 through 2.3.4 does not properly validate the token name configuration parameter, which allows remote attackers to perform cross-site request forgery (CSRF) attacks by setting the token name configuration parameter to a session attr | ||
| CVE-2012-0838 | — | < 2.2.3.1 | 2.2.3.1 | Mar 2, 2012 | Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field. | ||
| CVE-2012-0393 | — | < 2.3.1.1 | 2.3.1.1 | Jan 8, 2012 | The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object. | ||
| CVE-2012-0392 | — | < 2.2.3.1 | 2.2.3.1 | Jan 8, 2012 | The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method. | ||
| CVE-2012-0391 | Cri | 9.8 | KEV | < 2.2.3.1 | 2.2.3.1 | Jan 8, 2012 | The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter. |
| CVE-2011-1772 | — | < 2.2.3 | 2.2.3 | May 13, 2011 | Multiple cross-site scripting (XSS) vulnerabilities in XWork in Apache Struts 2.x before 2.2.3, and OpenSymphony XWork in OpenSymphony WebWork, allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) an action name, (2) the action attribute of an s | ||
| CVE-2010-1870 | — | < 2.2.1 | 2.2.1 | Aug 17, 2010 | The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the "#" p | ||
| CVE-2008-6682 | — | >= 2.0.0, < 2.0.11.1 | 2.0.11.1 | Apr 9, 2009 | Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.0.x before 2.0.11.1 and 2.1.x before 2.1.1 allow remote attackers to inject arbitrary web script or HTML via vectors associated with improper handling of (1) " (double quote) characters in the href attribute o | ||
| CVE-2008-6505 | — | >= 2.0.0, < 2.0.12 | 2.0.12 | Mar 23, 2009 | Multiple directory traversal vulnerabilities in Apache Struts 2.0.x before 2.0.12 and 2.1.x before 2.1.3 allow remote attackers to read arbitrary files via a ..%252f (encoded dot dot slash) in a URI with a /struts/ path, related to (1) FilterDispatcher in 2.0.x and (2) DefaultSta |
- CVE-2014-0094Mar 11, 2014affected >= 2.0.0, < 2.3.16.2fixed 2.3.16.2
The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method.
- CVE-2013-6348Nov 2, 2013affected < 2.3.16fixed 2.3.16
Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.3.15.3 allow remote attackers to inject arbitrary web script or HTML via the namespace parameter to (1) actionNames.action and (2) showConfig.action in config-browser/.
- CVE-2013-4316Sep 30, 2013affected >= 2.0.0, < 2.3.15.2fixed 2.3.15.2
Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors.
- CVE-2013-4310Sep 30, 2013affected < 2.3.15.3fixed 2.3.15.3
Apache Struts 2.0.0 through 2.3.15.1 allows remote attackers to bypass access controls via a crafted action: prefix.
- affected < 2.3.15.1fixed 2.3.15.1
Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.
- CVE-2013-2248Jul 20, 2013affected < 2.3.15.1fixed 2.3.15.1
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a parameter using the (1) redirect: or (2) redirectAction: prefix.
- CVE-2013-2135Jul 16, 2013affected >= 2.0.0, < 2.3.14.3fixed 2.3.14.3
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to be evaluated twice.
- CVE-2013-2134Jul 16, 2013affected >= 2.0.0, < 2.3.14.3fixed 2.3.14.3
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135.
- affected >= 2.0.0, < 2.3.14.2fixed 2.3.14.2
Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. NOTE: this issue is due to an incomplete fix for CVE-2013-1966.
- CVE-2013-1966Jul 10, 2013affected >= 2.0.0, < 2.3.14.2fixed 2.3.14.2
Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag.
- CVE-2013-1965Jul 10, 2013affected < 2.3.14.3fixed 2.3.14.3
Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect.
- CVE-2012-4386Sep 5, 2012affected >= 2.0.0, < 2.3.4.1fixed 2.3.4.1
The token check mechanism in Apache Struts 2.0.0 through 2.3.4 does not properly validate the token name configuration parameter, which allows remote attackers to perform cross-site request forgery (CSRF) attacks by setting the token name configuration parameter to a session attr
- CVE-2012-0838Mar 2, 2012affected < 2.2.3.1fixed 2.2.3.1
Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field.
- CVE-2012-0393Jan 8, 2012affected < 2.3.1.1fixed 2.3.1.1
The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object.
- CVE-2012-0392Jan 8, 2012affected < 2.2.3.1fixed 2.2.3.1
The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method.
- affected < 2.2.3.1fixed 2.2.3.1
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.
- CVE-2011-1772May 13, 2011affected < 2.2.3fixed 2.2.3
Multiple cross-site scripting (XSS) vulnerabilities in XWork in Apache Struts 2.x before 2.2.3, and OpenSymphony XWork in OpenSymphony WebWork, allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) an action name, (2) the action attribute of an s
- CVE-2010-1870Aug 17, 2010affected < 2.2.1fixed 2.2.1
The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the "#" p
- CVE-2008-6682Apr 9, 2009affected >= 2.0.0, < 2.0.11.1fixed 2.0.11.1
Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.0.x before 2.0.11.1 and 2.1.x before 2.1.1 allow remote attackers to inject arbitrary web script or HTML via vectors associated with improper handling of (1) " (double quote) characters in the href attribute o
- CVE-2008-6505Mar 23, 2009affected >= 2.0.0, < 2.0.12fixed 2.0.12
Multiple directory traversal vulnerabilities in Apache Struts 2.0.x before 2.0.12 and 2.1.x before 2.1.3 allow remote attackers to read arbitrary files via a ..%252f (encoded dot dot slash) in a URI with a /struts/ path, related to (1) FilterDispatcher in 2.0.x and (2) DefaultSta
Page 3 of 3