Struts
Sign in to watchby Apache
Source repositories
CVEs (61)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2017-5638 | Cri | 0.85 | 9.8 | 0.94 | KEV | Mar 11, 2017 | The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string. |
| CVE-2017-9791 | Cri | 0.79 | 9.8 | 0.94 | KEV | Jul 10, 2017 | The Struts 1 plugin in Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage. |
| CVE-2013-2251 | Cri | 0.79 | 9.8 | 0.94 | KEV | Jul 20, 2013 | Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix. |
| CVE-2012-0391 | Cri | 0.79 | 9.8 | 0.88 | KEV | Jan 8, 2012 | The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter. |
| CVE-2017-9805 | Hig | 0.68 | 8.1 | 0.94 | KEV | Sep 15, 2017 | The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads. |
| CVE-2016-3082 | Cri | 0.66 | 9.8 | 0.25 | Apr 26, 2016 | XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter. | |
| CVE-2016-3081 | Hig | 0.63 | 8.1 | 0.94 | Apr 26, 2016 | Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions. | |
| CVE-2006-1547 | Hig | 0.63 | 7.5 | 0.22 | KEV | Mar 30, 2006 | ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9 with BeanUtils 1.7 allows remote attackers to cause a denial of service via a multipart/form-data encoded form with a parameter name that references the public getMultipartRequestHandler method, which provides further access to elements in the CommonsMultipartRequestHandler implementation and BeanUtils. |
| CVE-2016-4438 | Cri | 0.62 | 9.8 | 0.62 | Jul 4, 2016 | The REST plugin in Apache Struts 2 2.3.19 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression. | |
| CVE-2013-2115 | Hig | 0.56 | 8.1 | 0.88 | Jul 10, 2013 | Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. NOTE: this issue is due to an incomplete fix for CVE-2013-1966. | |
| CVE-2015-0899 | Hig | 0.54 | 7.5 | 0.69 | Jul 4, 2016 | The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter. | |
| CVE-2017-9793 | Hig | 0.49 | 7.5 | 0.08 | Sep 20, 2017 | The REST Plugin in Apache Struts 2.1.x, 2.3.7 through 2.3.33 and 2.5 through 2.5.12 is using an outdated XStream library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted XML payload. | |
| CVE-2015-5209 | Hig | 0.49 | 7.5 | 0.01 | Aug 29, 2017 | Apache Struts 2.x before 2.3.24.1 allows remote attackers to manipulate Struts internals, alter user sessions, or affect container settings via vectors involving a top object. | |
| CVE-2016-1182 | Hig | 0.47 | 8.2 | 0.03 | Jul 4, 2016 | ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899. | |
| CVE-2017-9804 | Hig | 0.42 | 7.5 | 0.05 | Sep 20, 2017 | In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. NOTE: this vulnerability exists because of an incomplete fix for S2-047 / CVE-2017-7672. | |
| CVE-2017-9787 | Hig | 0.42 | 7.5 | 0.08 | Jul 13, 2017 | When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack. Solution is to upgrade to Apache Struts version 2.5.12 or 2.3.33. | |
| CVE-2016-4433 | Hig | 0.42 | 7.5 | 0.04 | Jul 4, 2016 | Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request. | |
| CVE-2017-15707 | Med | 0.40 | 6.2 | 0.02 | Dec 1, 2017 | In Apache Struts 2.5 to 2.5.14, the REST Plugin is using an outdated JSON-lib library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted JSON payload. | |
| CVE-2015-5169 | Med | 0.40 | 6.1 | 0.01 | Sep 25, 2017 | Cross-site scripting (XSS) vulnerability in Apache Struts before 2.3.20. | |
| CVE-2017-7672 | Med | 0.38 | 5.9 | 0.01 | Jul 13, 2017 | If an application allows enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. Solution is to upgrade to Apache Struts version 2.5.12. |