| 0 |
| url |
VCID-1exe-1vfk-f7bn |
| vulnerability_id |
VCID-1exe-1vfk-f7bn |
| summary |
Allows open redirects
Multiple open redirect vulnerabilities in this package allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a parameter using the `redirect:` or `redirectAction:` prefix. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.apache.struts/struts2-core@2.3.15.1 |
| purl |
pkg:maven/org.apache.struts/struts2-core@2.3.15.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1uv2-rvmy-53hk |
|
| 1 |
| vulnerability |
VCID-4bm7-hbe1-mfca |
|
| 2 |
| vulnerability |
VCID-4bzw-ges2-d7ek |
|
| 3 |
| vulnerability |
VCID-4ywn-n1my-83ev |
|
| 4 |
| vulnerability |
VCID-7hxh-btrk-skhg |
|
| 5 |
| vulnerability |
VCID-7uv9-4vy7-ryd1 |
|
| 6 |
| vulnerability |
VCID-84ge-vq7u-j3ar |
|
| 7 |
| vulnerability |
VCID-8cmt-z8g9-duf2 |
|
| 8 |
| vulnerability |
VCID-8jup-umjw-9ba4 |
|
| 9 |
| vulnerability |
VCID-9mn7-d2mm-uqay |
|
| 10 |
| vulnerability |
VCID-cv6j-98vx-n3ed |
|
| 11 |
| vulnerability |
VCID-dbzr-zyeu-73g8 |
|
| 12 |
| vulnerability |
VCID-dj42-wym9-nbhv |
|
| 13 |
| vulnerability |
VCID-dvxu-9sh6-qbef |
|
| 14 |
| vulnerability |
VCID-fvde-37ch-z7cg |
|
| 15 |
| vulnerability |
VCID-fwkj-x53j-yqd8 |
|
| 16 |
| vulnerability |
VCID-ghqg-ae1b-w7br |
|
| 17 |
| vulnerability |
VCID-gvwn-8r4r-47gm |
|
| 18 |
| vulnerability |
VCID-hrky-nmnv-g3eu |
|
| 19 |
| vulnerability |
VCID-jzbz-jpe1-cycg |
|
| 20 |
| vulnerability |
VCID-kmqa-hsqy-muf1 |
|
| 21 |
| vulnerability |
VCID-m39c-3bv2-6ugy |
|
| 22 |
| vulnerability |
VCID-mmth-7rgf-aqfa |
|
| 23 |
| vulnerability |
VCID-mvdz-exud-3ybz |
|
| 24 |
| vulnerability |
VCID-nm42-xrpq-7ued |
|
| 25 |
| vulnerability |
VCID-npge-yn8z-6fac |
|
| 26 |
| vulnerability |
VCID-nztp-y8p8-cqc6 |
|
| 27 |
| vulnerability |
VCID-pdny-erzd-jqhc |
|
| 28 |
| vulnerability |
VCID-q2ad-khtm-nqdr |
|
| 29 |
| vulnerability |
VCID-renj-v5ce-2khx |
|
| 30 |
| vulnerability |
VCID-t1s3-f181-tqca |
|
| 31 |
| vulnerability |
VCID-vztu-pap6-37ev |
|
| 32 |
| vulnerability |
VCID-wtca-5ffw-w7bc |
|
| 33 |
| vulnerability |
VCID-wzez-6cmp-n7gn |
|
| 34 |
| vulnerability |
VCID-xgnf-d44x-kfc9 |
|
| 35 |
| vulnerability |
VCID-z1jy-4da2-tyhk |
|
| 36 |
| vulnerability |
VCID-z6wr-3psx-dbfm |
|
| 37 |
| vulnerability |
VCID-z9v1-pwvn-2bcy |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.15.1 |
|
|
| aliases |
CVE-2013-2248, GHSA-rpj9-r897-wc6q
|
| risk_score |
10.0 |
| exploitability |
2.0 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-1exe-1vfk-f7bn |
|
| 1 |
| url |
VCID-1kjb-use6-23eu |
| vulnerability_id |
VCID-1kjb-use6-23eu |
| summary |
Code Injection
Apache Struts allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both `${}` and `%{}` sequences, which causes the OGNL code to be evaluated twice. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.apache.struts/struts2-core@2.3.14.3 |
| purl |
pkg:maven/org.apache.struts/struts2-core@2.3.14.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1exe-1vfk-f7bn |
|
| 1 |
| vulnerability |
VCID-1uv2-rvmy-53hk |
|
| 2 |
| vulnerability |
VCID-4bm7-hbe1-mfca |
|
| 3 |
| vulnerability |
VCID-4bzw-ges2-d7ek |
|
| 4 |
| vulnerability |
VCID-4ywn-n1my-83ev |
|
| 5 |
| vulnerability |
VCID-7hxh-btrk-skhg |
|
| 6 |
| vulnerability |
VCID-7uv9-4vy7-ryd1 |
|
| 7 |
| vulnerability |
VCID-84ge-vq7u-j3ar |
|
| 8 |
| vulnerability |
VCID-8cmt-z8g9-duf2 |
|
| 9 |
| vulnerability |
VCID-8jup-umjw-9ba4 |
|
| 10 |
| vulnerability |
VCID-9mn7-d2mm-uqay |
|
| 11 |
| vulnerability |
VCID-cv6j-98vx-n3ed |
|
| 12 |
| vulnerability |
VCID-dbzr-zyeu-73g8 |
|
| 13 |
| vulnerability |
VCID-dj42-wym9-nbhv |
|
| 14 |
| vulnerability |
VCID-dvxu-9sh6-qbef |
|
| 15 |
| vulnerability |
VCID-fvde-37ch-z7cg |
|
| 16 |
| vulnerability |
VCID-fwkj-x53j-yqd8 |
|
| 17 |
| vulnerability |
VCID-ghqg-ae1b-w7br |
|
| 18 |
| vulnerability |
VCID-gvwn-8r4r-47gm |
|
| 19 |
| vulnerability |
VCID-hrky-nmnv-g3eu |
|
| 20 |
| vulnerability |
VCID-jzbz-jpe1-cycg |
|
| 21 |
| vulnerability |
VCID-kmqa-hsqy-muf1 |
|
| 22 |
| vulnerability |
VCID-m39c-3bv2-6ugy |
|
| 23 |
| vulnerability |
VCID-mmth-7rgf-aqfa |
|
| 24 |
| vulnerability |
VCID-mvdz-exud-3ybz |
|
| 25 |
| vulnerability |
VCID-nm42-xrpq-7ued |
|
| 26 |
| vulnerability |
VCID-npge-yn8z-6fac |
|
| 27 |
| vulnerability |
VCID-nztp-y8p8-cqc6 |
|
| 28 |
| vulnerability |
VCID-pdny-erzd-jqhc |
|
| 29 |
| vulnerability |
VCID-q2ad-khtm-nqdr |
|
| 30 |
| vulnerability |
VCID-renj-v5ce-2khx |
|
| 31 |
| vulnerability |
VCID-t1s3-f181-tqca |
|
| 32 |
| vulnerability |
VCID-vztu-pap6-37ev |
|
| 33 |
| vulnerability |
VCID-wtca-5ffw-w7bc |
|
| 34 |
| vulnerability |
VCID-wzez-6cmp-n7gn |
|
| 35 |
| vulnerability |
VCID-xgnf-d44x-kfc9 |
|
| 36 |
| vulnerability |
VCID-xpa5-fsb6-ukay |
|
| 37 |
| vulnerability |
VCID-z1jy-4da2-tyhk |
|
| 38 |
| vulnerability |
VCID-z6wr-3psx-dbfm |
|
| 39 |
| vulnerability |
VCID-z9v1-pwvn-2bcy |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.14.3 |
|
|
| aliases |
CVE-2013-2135, GHSA-pw8r-x2qm-3h5m
|
| risk_score |
10.0 |
| exploitability |
2.0 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-1kjb-use6-23eu |
|
| 2 |
| url |
VCID-1uv2-rvmy-53hk |
| vulnerability_id |
VCID-1uv2-rvmy-53hk |
| summary |
Incomplete fix for ClassLoader manipulation via ParametersInterceptor
This package does not properly restrict access to the getClass method, which allows remote attackers to `manipulate` the `ClassLoader` and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.apache.struts/struts2-core@2.3.16.2 |
| purl |
pkg:maven/org.apache.struts/struts2-core@2.3.16.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-4bm7-hbe1-mfca |
|
| 1 |
| vulnerability |
VCID-4bzw-ges2-d7ek |
|
| 2 |
| vulnerability |
VCID-4ywn-n1my-83ev |
|
| 3 |
| vulnerability |
VCID-7hxh-btrk-skhg |
|
| 4 |
| vulnerability |
VCID-7uv9-4vy7-ryd1 |
|
| 5 |
| vulnerability |
VCID-8cmt-z8g9-duf2 |
|
| 6 |
| vulnerability |
VCID-9mn7-d2mm-uqay |
|
| 7 |
| vulnerability |
VCID-cv6j-98vx-n3ed |
|
| 8 |
| vulnerability |
VCID-dbzr-zyeu-73g8 |
|
| 9 |
| vulnerability |
VCID-dj42-wym9-nbhv |
|
| 10 |
| vulnerability |
VCID-dvxu-9sh6-qbef |
|
| 11 |
| vulnerability |
VCID-fwkj-x53j-yqd8 |
|
| 12 |
| vulnerability |
VCID-ghqg-ae1b-w7br |
|
| 13 |
| vulnerability |
VCID-gvwn-8r4r-47gm |
|
| 14 |
| vulnerability |
VCID-hrky-nmnv-g3eu |
|
| 15 |
| vulnerability |
VCID-jzbz-jpe1-cycg |
|
| 16 |
| vulnerability |
VCID-m39c-3bv2-6ugy |
|
| 17 |
| vulnerability |
VCID-mmth-7rgf-aqfa |
|
| 18 |
| vulnerability |
VCID-mvdz-exud-3ybz |
|
| 19 |
| vulnerability |
VCID-nm42-xrpq-7ued |
|
| 20 |
| vulnerability |
VCID-npge-yn8z-6fac |
|
| 21 |
| vulnerability |
VCID-nztp-y8p8-cqc6 |
|
| 22 |
| vulnerability |
VCID-pdny-erzd-jqhc |
|
| 23 |
| vulnerability |
VCID-q2ad-khtm-nqdr |
|
| 24 |
| vulnerability |
VCID-renj-v5ce-2khx |
|
| 25 |
| vulnerability |
VCID-t1s3-f181-tqca |
|
| 26 |
| vulnerability |
VCID-vztu-pap6-37ev |
|
| 27 |
| vulnerability |
VCID-wtca-5ffw-w7bc |
|
| 28 |
| vulnerability |
VCID-wzez-6cmp-n7gn |
|
| 29 |
| vulnerability |
VCID-xgnf-d44x-kfc9 |
|
| 30 |
| vulnerability |
VCID-z1jy-4da2-tyhk |
|
| 31 |
| vulnerability |
VCID-z9v1-pwvn-2bcy |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.16.2 |
|
| 1 |
| url |
pkg:maven/org.apache.struts/struts2-core@2.3.20 |
| purl |
pkg:maven/org.apache.struts/struts2-core@2.3.20 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1cxn-qv1w-2kh7 |
|
| 1 |
| vulnerability |
VCID-4bm7-hbe1-mfca |
|
| 2 |
| vulnerability |
VCID-4bzw-ges2-d7ek |
|
| 3 |
| vulnerability |
VCID-4t8h-s9mh-p7c4 |
|
| 4 |
| vulnerability |
VCID-6dfe-8yy4-kkfj |
|
| 5 |
| vulnerability |
VCID-7hxh-btrk-skhg |
|
| 6 |
| vulnerability |
VCID-7uv9-4vy7-ryd1 |
|
| 7 |
| vulnerability |
VCID-8cmt-z8g9-duf2 |
|
| 8 |
| vulnerability |
VCID-9mn7-d2mm-uqay |
|
| 9 |
| vulnerability |
VCID-cv6j-98vx-n3ed |
|
| 10 |
| vulnerability |
VCID-dbzr-zyeu-73g8 |
|
| 11 |
| vulnerability |
VCID-dj42-wym9-nbhv |
|
| 12 |
| vulnerability |
VCID-dvxu-9sh6-qbef |
|
| 13 |
| vulnerability |
VCID-fwkj-x53j-yqd8 |
|
| 14 |
| vulnerability |
VCID-gvwn-8r4r-47gm |
|
| 15 |
| vulnerability |
VCID-hrky-nmnv-g3eu |
|
| 16 |
| vulnerability |
VCID-jzbz-jpe1-cycg |
|
| 17 |
| vulnerability |
VCID-mmth-7rgf-aqfa |
|
| 18 |
| vulnerability |
VCID-mvdz-exud-3ybz |
|
| 19 |
| vulnerability |
VCID-nm42-xrpq-7ued |
|
| 20 |
| vulnerability |
VCID-npge-yn8z-6fac |
|
| 21 |
| vulnerability |
VCID-nztp-y8p8-cqc6 |
|
| 22 |
| vulnerability |
VCID-pdny-erzd-jqhc |
|
| 23 |
| vulnerability |
VCID-q2ad-khtm-nqdr |
|
| 24 |
| vulnerability |
VCID-qdsq-8td3-5qa1 |
|
| 25 |
| vulnerability |
VCID-renj-v5ce-2khx |
|
| 26 |
| vulnerability |
VCID-vztu-pap6-37ev |
|
| 27 |
| vulnerability |
VCID-wzez-6cmp-n7gn |
|
| 28 |
| vulnerability |
VCID-xgnf-d44x-kfc9 |
|
| 29 |
| vulnerability |
VCID-z1jy-4da2-tyhk |
|
| 30 |
| vulnerability |
VCID-z9v1-pwvn-2bcy |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.20 |
|
|
| aliases |
CVE-2014-0112, GHSA-prjv-jj26-wf8h
|
| risk_score |
10.0 |
| exploitability |
2.0 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-1uv2-rvmy-53hk |
|
| 3 |
| url |
VCID-447s-4ag7-gyes |
| vulnerability_id |
VCID-447s-4ag7-gyes |
| summary |
Remote command execution
This package allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.apache.struts/struts2-core@2.3.14.3 |
| purl |
pkg:maven/org.apache.struts/struts2-core@2.3.14.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1exe-1vfk-f7bn |
|
| 1 |
| vulnerability |
VCID-1uv2-rvmy-53hk |
|
| 2 |
| vulnerability |
VCID-4bm7-hbe1-mfca |
|
| 3 |
| vulnerability |
VCID-4bzw-ges2-d7ek |
|
| 4 |
| vulnerability |
VCID-4ywn-n1my-83ev |
|
| 5 |
| vulnerability |
VCID-7hxh-btrk-skhg |
|
| 6 |
| vulnerability |
VCID-7uv9-4vy7-ryd1 |
|
| 7 |
| vulnerability |
VCID-84ge-vq7u-j3ar |
|
| 8 |
| vulnerability |
VCID-8cmt-z8g9-duf2 |
|
| 9 |
| vulnerability |
VCID-8jup-umjw-9ba4 |
|
| 10 |
| vulnerability |
VCID-9mn7-d2mm-uqay |
|
| 11 |
| vulnerability |
VCID-cv6j-98vx-n3ed |
|
| 12 |
| vulnerability |
VCID-dbzr-zyeu-73g8 |
|
| 13 |
| vulnerability |
VCID-dj42-wym9-nbhv |
|
| 14 |
| vulnerability |
VCID-dvxu-9sh6-qbef |
|
| 15 |
| vulnerability |
VCID-fvde-37ch-z7cg |
|
| 16 |
| vulnerability |
VCID-fwkj-x53j-yqd8 |
|
| 17 |
| vulnerability |
VCID-ghqg-ae1b-w7br |
|
| 18 |
| vulnerability |
VCID-gvwn-8r4r-47gm |
|
| 19 |
| vulnerability |
VCID-hrky-nmnv-g3eu |
|
| 20 |
| vulnerability |
VCID-jzbz-jpe1-cycg |
|
| 21 |
| vulnerability |
VCID-kmqa-hsqy-muf1 |
|
| 22 |
| vulnerability |
VCID-m39c-3bv2-6ugy |
|
| 23 |
| vulnerability |
VCID-mmth-7rgf-aqfa |
|
| 24 |
| vulnerability |
VCID-mvdz-exud-3ybz |
|
| 25 |
| vulnerability |
VCID-nm42-xrpq-7ued |
|
| 26 |
| vulnerability |
VCID-npge-yn8z-6fac |
|
| 27 |
| vulnerability |
VCID-nztp-y8p8-cqc6 |
|
| 28 |
| vulnerability |
VCID-pdny-erzd-jqhc |
|
| 29 |
| vulnerability |
VCID-q2ad-khtm-nqdr |
|
| 30 |
| vulnerability |
VCID-renj-v5ce-2khx |
|
| 31 |
| vulnerability |
VCID-t1s3-f181-tqca |
|
| 32 |
| vulnerability |
VCID-vztu-pap6-37ev |
|
| 33 |
| vulnerability |
VCID-wtca-5ffw-w7bc |
|
| 34 |
| vulnerability |
VCID-wzez-6cmp-n7gn |
|
| 35 |
| vulnerability |
VCID-xgnf-d44x-kfc9 |
|
| 36 |
| vulnerability |
VCID-xpa5-fsb6-ukay |
|
| 37 |
| vulnerability |
VCID-z1jy-4da2-tyhk |
|
| 38 |
| vulnerability |
VCID-z6wr-3psx-dbfm |
|
| 39 |
| vulnerability |
VCID-z9v1-pwvn-2bcy |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.14.3 |
|
|
| aliases |
CVE-2013-1965, GHSA-whmq-v94q-34p9
|
| risk_score |
10.0 |
| exploitability |
2.0 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-447s-4ag7-gyes |
|
| 4 |
| url |
VCID-4bm7-hbe1-mfca |
| vulnerability_id |
VCID-4bm7-hbe1-mfca |
| summary |
Unrestricted Upload of File with Dangerous Type
A local code execution issue exists in Apache Struts2 when processing malformed XSLT files, which could let a malicious user upload and execute arbitrary files. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
|
| fixed_packages |
|
| aliases |
CVE-2012-1592, GHSA-8m5q-crqq-6pmf
|
| risk_score |
10.0 |
| exploitability |
2.0 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4bm7-hbe1-mfca |
|
| 5 |
| url |
VCID-4bzw-ges2-d7ek |
| vulnerability_id |
VCID-4bzw-ges2-d7ek |
| summary |
Apache Struts forced double OGNL evaluation
Apache Struts 2.x before 2.3.29 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0785. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2016-4461, GHSA-864w-r5qj-h6fj
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4bzw-ges2-d7ek |
|
| 6 |
| url |
VCID-4ywn-n1my-83ev |
| vulnerability_id |
VCID-4ywn-n1my-83ev |
| summary |
Improper Input Validation
The TextParseUtil.translateVariables method in Apache Struts 2.x before 2.3.20 allows remote attackers to execute arbitrary code via a crafted OGNL expression with ANTLR tooling. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.apache.struts/struts2-core@2.3.20 |
| purl |
pkg:maven/org.apache.struts/struts2-core@2.3.20 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1cxn-qv1w-2kh7 |
|
| 1 |
| vulnerability |
VCID-4bm7-hbe1-mfca |
|
| 2 |
| vulnerability |
VCID-4bzw-ges2-d7ek |
|
| 3 |
| vulnerability |
VCID-4t8h-s9mh-p7c4 |
|
| 4 |
| vulnerability |
VCID-6dfe-8yy4-kkfj |
|
| 5 |
| vulnerability |
VCID-7hxh-btrk-skhg |
|
| 6 |
| vulnerability |
VCID-7uv9-4vy7-ryd1 |
|
| 7 |
| vulnerability |
VCID-8cmt-z8g9-duf2 |
|
| 8 |
| vulnerability |
VCID-9mn7-d2mm-uqay |
|
| 9 |
| vulnerability |
VCID-cv6j-98vx-n3ed |
|
| 10 |
| vulnerability |
VCID-dbzr-zyeu-73g8 |
|
| 11 |
| vulnerability |
VCID-dj42-wym9-nbhv |
|
| 12 |
| vulnerability |
VCID-dvxu-9sh6-qbef |
|
| 13 |
| vulnerability |
VCID-fwkj-x53j-yqd8 |
|
| 14 |
| vulnerability |
VCID-gvwn-8r4r-47gm |
|
| 15 |
| vulnerability |
VCID-hrky-nmnv-g3eu |
|
| 16 |
| vulnerability |
VCID-jzbz-jpe1-cycg |
|
| 17 |
| vulnerability |
VCID-mmth-7rgf-aqfa |
|
| 18 |
| vulnerability |
VCID-mvdz-exud-3ybz |
|
| 19 |
| vulnerability |
VCID-nm42-xrpq-7ued |
|
| 20 |
| vulnerability |
VCID-npge-yn8z-6fac |
|
| 21 |
| vulnerability |
VCID-nztp-y8p8-cqc6 |
|
| 22 |
| vulnerability |
VCID-pdny-erzd-jqhc |
|
| 23 |
| vulnerability |
VCID-q2ad-khtm-nqdr |
|
| 24 |
| vulnerability |
VCID-qdsq-8td3-5qa1 |
|
| 25 |
| vulnerability |
VCID-renj-v5ce-2khx |
|
| 26 |
| vulnerability |
VCID-vztu-pap6-37ev |
|
| 27 |
| vulnerability |
VCID-wzez-6cmp-n7gn |
|
| 28 |
| vulnerability |
VCID-xgnf-d44x-kfc9 |
|
| 29 |
| vulnerability |
VCID-z1jy-4da2-tyhk |
|
| 30 |
| vulnerability |
VCID-z9v1-pwvn-2bcy |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.20 |
|
|
| aliases |
CVE-2016-3090, GHSA-ggmp-fxfg-277r
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-4ywn-n1my-83ev |
|
| 7 |
| url |
VCID-7hxh-btrk-skhg |
| vulnerability_id |
VCID-7hxh-btrk-skhg |
| summary |
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
|
| aliases |
CVE-2019-0230, GHSA-wp4h-pvgw-5727
|
| risk_score |
10.0 |
| exploitability |
2.0 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7hxh-btrk-skhg |
|
| 8 |
| url |
VCID-7uv9-4vy7-ryd1 |
| vulnerability_id |
VCID-7uv9-4vy7-ryd1 |
| summary |
Apache Struts vulnerable to remote command execution (RCE) due to improper input validation
Apache Struts contains a Remote Code Execution when using results with no namespace and it's upper actions have no or wildcard namespace. The same flaw exists when using a url tag with no value, action set, and it's upper actions have no or wildcard namespace. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
| reference_url |
https://cwiki.apache.org/confluence/display/WW/S2-057 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H |
|
| 1 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Attend |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-06T21:01:33Z/ |
|
|
| url |
https://cwiki.apache.org/confluence/display/WW/S2-057 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
| reference_url |
https://lgtm.com/blog/apache_struts_CVE-2018-11776 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H |
|
| 1 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Attend |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-06T21:01:33Z/ |
|
|
| url |
https://lgtm.com/blog/apache_struts_CVE-2018-11776 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
| reference_url |
http://www.securityfocus.com/bid/105125 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Attend |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-06T21:01:33Z/ |
|
|
| url |
http://www.securityfocus.com/bid/105125 |
|
| 28 |
| reference_url |
http://www.securitytracker.com/id/1041547 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Attend |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-06T21:01:33Z/ |
|
|
| url |
http://www.securitytracker.com/id/1041547 |
|
| 29 |
| reference_url |
http://www.securitytracker.com/id/1041888 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H |
|
| 1 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Attend |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-06T21:01:33Z/ |
|
|
| url |
http://www.securitytracker.com/id/1041888 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
|
| 40 |
|
| 41 |
| reference_url |
https://github.com/hook-s3c/CVE-2018-11776-Python-PoC |
| reference_id |
CVE-2018-11776-PYTHON-POC |
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H |
|
| 1 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Attend |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-06T21:01:33Z/ |
|
|
| url |
https://github.com/hook-s3c/CVE-2018-11776-Python-PoC |
|
| 42 |
|
| 43 |
|
|
| fixed_packages |
|
| aliases |
CVE-2018-11776, GHSA-cr6j-3jp9-rw65
|
| risk_score |
10.0 |
| exploitability |
2.0 |
| weighted_severity |
8.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7uv9-4vy7-ryd1 |
|
| 9 |
| url |
VCID-84ge-vq7u-j3ar |
| vulnerability_id |
VCID-84ge-vq7u-j3ar |
| summary |
Incomplete fix for ClassLoader manipulation via ParametersInterceptor
The `ParametersInterceptor` in this package allows remote attackers to `manipulate` the `ClassLoader` via the class parameter, which is passed to the getClass method. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.apache.struts/struts2-core@2.3.16.2 |
| purl |
pkg:maven/org.apache.struts/struts2-core@2.3.16.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-4bm7-hbe1-mfca |
|
| 1 |
| vulnerability |
VCID-4bzw-ges2-d7ek |
|
| 2 |
| vulnerability |
VCID-4ywn-n1my-83ev |
|
| 3 |
| vulnerability |
VCID-7hxh-btrk-skhg |
|
| 4 |
| vulnerability |
VCID-7uv9-4vy7-ryd1 |
|
| 5 |
| vulnerability |
VCID-8cmt-z8g9-duf2 |
|
| 6 |
| vulnerability |
VCID-9mn7-d2mm-uqay |
|
| 7 |
| vulnerability |
VCID-cv6j-98vx-n3ed |
|
| 8 |
| vulnerability |
VCID-dbzr-zyeu-73g8 |
|
| 9 |
| vulnerability |
VCID-dj42-wym9-nbhv |
|
| 10 |
| vulnerability |
VCID-dvxu-9sh6-qbef |
|
| 11 |
| vulnerability |
VCID-fwkj-x53j-yqd8 |
|
| 12 |
| vulnerability |
VCID-ghqg-ae1b-w7br |
|
| 13 |
| vulnerability |
VCID-gvwn-8r4r-47gm |
|
| 14 |
| vulnerability |
VCID-hrky-nmnv-g3eu |
|
| 15 |
| vulnerability |
VCID-jzbz-jpe1-cycg |
|
| 16 |
| vulnerability |
VCID-m39c-3bv2-6ugy |
|
| 17 |
| vulnerability |
VCID-mmth-7rgf-aqfa |
|
| 18 |
| vulnerability |
VCID-mvdz-exud-3ybz |
|
| 19 |
| vulnerability |
VCID-nm42-xrpq-7ued |
|
| 20 |
| vulnerability |
VCID-npge-yn8z-6fac |
|
| 21 |
| vulnerability |
VCID-nztp-y8p8-cqc6 |
|
| 22 |
| vulnerability |
VCID-pdny-erzd-jqhc |
|
| 23 |
| vulnerability |
VCID-q2ad-khtm-nqdr |
|
| 24 |
| vulnerability |
VCID-renj-v5ce-2khx |
|
| 25 |
| vulnerability |
VCID-t1s3-f181-tqca |
|
| 26 |
| vulnerability |
VCID-vztu-pap6-37ev |
|
| 27 |
| vulnerability |
VCID-wtca-5ffw-w7bc |
|
| 28 |
| vulnerability |
VCID-wzez-6cmp-n7gn |
|
| 29 |
| vulnerability |
VCID-xgnf-d44x-kfc9 |
|
| 30 |
| vulnerability |
VCID-z1jy-4da2-tyhk |
|
| 31 |
| vulnerability |
VCID-z9v1-pwvn-2bcy |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.16.2 |
|
|
| aliases |
CVE-2014-0094, GHSA-vrwc-qjmw-5rjm
|
| risk_score |
10.0 |
| exploitability |
2.0 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-84ge-vq7u-j3ar |
|
| 10 |
| url |
VCID-89az-256b-mubw |
| vulnerability_id |
VCID-89az-256b-mubw |
| summary |
Code Injection
Apache Struts 2 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.apache.struts/struts2-core@2.3.14.3 |
| purl |
pkg:maven/org.apache.struts/struts2-core@2.3.14.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1exe-1vfk-f7bn |
|
| 1 |
| vulnerability |
VCID-1uv2-rvmy-53hk |
|
| 2 |
| vulnerability |
VCID-4bm7-hbe1-mfca |
|
| 3 |
| vulnerability |
VCID-4bzw-ges2-d7ek |
|
| 4 |
| vulnerability |
VCID-4ywn-n1my-83ev |
|
| 5 |
| vulnerability |
VCID-7hxh-btrk-skhg |
|
| 6 |
| vulnerability |
VCID-7uv9-4vy7-ryd1 |
|
| 7 |
| vulnerability |
VCID-84ge-vq7u-j3ar |
|
| 8 |
| vulnerability |
VCID-8cmt-z8g9-duf2 |
|
| 9 |
| vulnerability |
VCID-8jup-umjw-9ba4 |
|
| 10 |
| vulnerability |
VCID-9mn7-d2mm-uqay |
|
| 11 |
| vulnerability |
VCID-cv6j-98vx-n3ed |
|
| 12 |
| vulnerability |
VCID-dbzr-zyeu-73g8 |
|
| 13 |
| vulnerability |
VCID-dj42-wym9-nbhv |
|
| 14 |
| vulnerability |
VCID-dvxu-9sh6-qbef |
|
| 15 |
| vulnerability |
VCID-fvde-37ch-z7cg |
|
| 16 |
| vulnerability |
VCID-fwkj-x53j-yqd8 |
|
| 17 |
| vulnerability |
VCID-ghqg-ae1b-w7br |
|
| 18 |
| vulnerability |
VCID-gvwn-8r4r-47gm |
|
| 19 |
| vulnerability |
VCID-hrky-nmnv-g3eu |
|
| 20 |
| vulnerability |
VCID-jzbz-jpe1-cycg |
|
| 21 |
| vulnerability |
VCID-kmqa-hsqy-muf1 |
|
| 22 |
| vulnerability |
VCID-m39c-3bv2-6ugy |
|
| 23 |
| vulnerability |
VCID-mmth-7rgf-aqfa |
|
| 24 |
| vulnerability |
VCID-mvdz-exud-3ybz |
|
| 25 |
| vulnerability |
VCID-nm42-xrpq-7ued |
|
| 26 |
| vulnerability |
VCID-npge-yn8z-6fac |
|
| 27 |
| vulnerability |
VCID-nztp-y8p8-cqc6 |
|
| 28 |
| vulnerability |
VCID-pdny-erzd-jqhc |
|
| 29 |
| vulnerability |
VCID-q2ad-khtm-nqdr |
|
| 30 |
| vulnerability |
VCID-renj-v5ce-2khx |
|
| 31 |
| vulnerability |
VCID-t1s3-f181-tqca |
|
| 32 |
| vulnerability |
VCID-vztu-pap6-37ev |
|
| 33 |
| vulnerability |
VCID-wtca-5ffw-w7bc |
|
| 34 |
| vulnerability |
VCID-wzez-6cmp-n7gn |
|
| 35 |
| vulnerability |
VCID-xgnf-d44x-kfc9 |
|
| 36 |
| vulnerability |
VCID-xpa5-fsb6-ukay |
|
| 37 |
| vulnerability |
VCID-z1jy-4da2-tyhk |
|
| 38 |
| vulnerability |
VCID-z6wr-3psx-dbfm |
|
| 39 |
| vulnerability |
VCID-z9v1-pwvn-2bcy |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.14.3 |
|
|
| aliases |
CVE-2013-2134, GHSA-gqqm-564f-vvxq
|
| risk_score |
10.0 |
| exploitability |
2.0 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-89az-256b-mubw |
|
| 11 |
| url |
VCID-8cmt-z8g9-duf2 |
| vulnerability_id |
VCID-8cmt-z8g9-duf2 |
| summary |
Apache Struts 2 is Missing XML Validation
Missing XML Validation vulnerability in Apache Struts, Apache Struts.
This issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0.
Users are recommended to upgrade to version 6.1.1, which fixes the issue. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2025-68493, GHSA-qcfc-hmrc-59x7
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8cmt-z8g9-duf2 |
|
| 12 |
| url |
VCID-8jup-umjw-9ba4 |
| vulnerability_id |
VCID-8jup-umjw-9ba4 |
| summary |
Classloader manipulation via CookieInterceptor
CookieInterceptor in this package, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.apache.struts/struts2-core@2.3.16.2 |
| purl |
pkg:maven/org.apache.struts/struts2-core@2.3.16.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-4bm7-hbe1-mfca |
|
| 1 |
| vulnerability |
VCID-4bzw-ges2-d7ek |
|
| 2 |
| vulnerability |
VCID-4ywn-n1my-83ev |
|
| 3 |
| vulnerability |
VCID-7hxh-btrk-skhg |
|
| 4 |
| vulnerability |
VCID-7uv9-4vy7-ryd1 |
|
| 5 |
| vulnerability |
VCID-8cmt-z8g9-duf2 |
|
| 6 |
| vulnerability |
VCID-9mn7-d2mm-uqay |
|
| 7 |
| vulnerability |
VCID-cv6j-98vx-n3ed |
|
| 8 |
| vulnerability |
VCID-dbzr-zyeu-73g8 |
|
| 9 |
| vulnerability |
VCID-dj42-wym9-nbhv |
|
| 10 |
| vulnerability |
VCID-dvxu-9sh6-qbef |
|
| 11 |
| vulnerability |
VCID-fwkj-x53j-yqd8 |
|
| 12 |
| vulnerability |
VCID-ghqg-ae1b-w7br |
|
| 13 |
| vulnerability |
VCID-gvwn-8r4r-47gm |
|
| 14 |
| vulnerability |
VCID-hrky-nmnv-g3eu |
|
| 15 |
| vulnerability |
VCID-jzbz-jpe1-cycg |
|
| 16 |
| vulnerability |
VCID-m39c-3bv2-6ugy |
|
| 17 |
| vulnerability |
VCID-mmth-7rgf-aqfa |
|
| 18 |
| vulnerability |
VCID-mvdz-exud-3ybz |
|
| 19 |
| vulnerability |
VCID-nm42-xrpq-7ued |
|
| 20 |
| vulnerability |
VCID-npge-yn8z-6fac |
|
| 21 |
| vulnerability |
VCID-nztp-y8p8-cqc6 |
|
| 22 |
| vulnerability |
VCID-pdny-erzd-jqhc |
|
| 23 |
| vulnerability |
VCID-q2ad-khtm-nqdr |
|
| 24 |
| vulnerability |
VCID-renj-v5ce-2khx |
|
| 25 |
| vulnerability |
VCID-t1s3-f181-tqca |
|
| 26 |
| vulnerability |
VCID-vztu-pap6-37ev |
|
| 27 |
| vulnerability |
VCID-wtca-5ffw-w7bc |
|
| 28 |
| vulnerability |
VCID-wzez-6cmp-n7gn |
|
| 29 |
| vulnerability |
VCID-xgnf-d44x-kfc9 |
|
| 30 |
| vulnerability |
VCID-z1jy-4da2-tyhk |
|
| 31 |
| vulnerability |
VCID-z9v1-pwvn-2bcy |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.16.2 |
|
| 1 |
| url |
pkg:maven/org.apache.struts/struts2-core@2.3.20 |
| purl |
pkg:maven/org.apache.struts/struts2-core@2.3.20 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1cxn-qv1w-2kh7 |
|
| 1 |
| vulnerability |
VCID-4bm7-hbe1-mfca |
|
| 2 |
| vulnerability |
VCID-4bzw-ges2-d7ek |
|
| 3 |
| vulnerability |
VCID-4t8h-s9mh-p7c4 |
|
| 4 |
| vulnerability |
VCID-6dfe-8yy4-kkfj |
|
| 5 |
| vulnerability |
VCID-7hxh-btrk-skhg |
|
| 6 |
| vulnerability |
VCID-7uv9-4vy7-ryd1 |
|
| 7 |
| vulnerability |
VCID-8cmt-z8g9-duf2 |
|
| 8 |
| vulnerability |
VCID-9mn7-d2mm-uqay |
|
| 9 |
| vulnerability |
VCID-cv6j-98vx-n3ed |
|
| 10 |
| vulnerability |
VCID-dbzr-zyeu-73g8 |
|
| 11 |
| vulnerability |
VCID-dj42-wym9-nbhv |
|
| 12 |
| vulnerability |
VCID-dvxu-9sh6-qbef |
|
| 13 |
| vulnerability |
VCID-fwkj-x53j-yqd8 |
|
| 14 |
| vulnerability |
VCID-gvwn-8r4r-47gm |
|
| 15 |
| vulnerability |
VCID-hrky-nmnv-g3eu |
|
| 16 |
| vulnerability |
VCID-jzbz-jpe1-cycg |
|
| 17 |
| vulnerability |
VCID-mmth-7rgf-aqfa |
|
| 18 |
| vulnerability |
VCID-mvdz-exud-3ybz |
|
| 19 |
| vulnerability |
VCID-nm42-xrpq-7ued |
|
| 20 |
| vulnerability |
VCID-npge-yn8z-6fac |
|
| 21 |
| vulnerability |
VCID-nztp-y8p8-cqc6 |
|
| 22 |
| vulnerability |
VCID-pdny-erzd-jqhc |
|
| 23 |
| vulnerability |
VCID-q2ad-khtm-nqdr |
|
| 24 |
| vulnerability |
VCID-qdsq-8td3-5qa1 |
|
| 25 |
| vulnerability |
VCID-renj-v5ce-2khx |
|
| 26 |
| vulnerability |
VCID-vztu-pap6-37ev |
|
| 27 |
| vulnerability |
VCID-wzez-6cmp-n7gn |
|
| 28 |
| vulnerability |
VCID-xgnf-d44x-kfc9 |
|
| 29 |
| vulnerability |
VCID-z1jy-4da2-tyhk |
|
| 30 |
| vulnerability |
VCID-z9v1-pwvn-2bcy |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.20 |
|
|
| aliases |
CVE-2014-0113, GHSA-3c5c-xrq4-qhr8
|
| risk_score |
10.0 |
| exploitability |
2.0 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8jup-umjw-9ba4 |
|
| 13 |
| url |
VCID-9mn7-d2mm-uqay |
| vulnerability_id |
VCID-9mn7-d2mm-uqay |
| summary |
Cross-site Scripting
Cross-site scripting (XSS) vulnerability in the `URLDecoder` function in JRE, as used in Apache Struts, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via multi-byte characters in an url-encoded parameter. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.apache.struts/struts2-core@2.3.24.3 |
| purl |
pkg:maven/org.apache.struts/struts2-core@2.3.24.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-4bm7-hbe1-mfca |
|
| 1 |
| vulnerability |
VCID-4bzw-ges2-d7ek |
|
| 2 |
| vulnerability |
VCID-7hxh-btrk-skhg |
|
| 3 |
| vulnerability |
VCID-7uv9-4vy7-ryd1 |
|
| 4 |
| vulnerability |
VCID-8cmt-z8g9-duf2 |
|
| 5 |
| vulnerability |
VCID-cv6j-98vx-n3ed |
|
| 6 |
| vulnerability |
VCID-dbzr-zyeu-73g8 |
|
| 7 |
| vulnerability |
VCID-dj42-wym9-nbhv |
|
| 8 |
| vulnerability |
VCID-dvxu-9sh6-qbef |
|
| 9 |
| vulnerability |
VCID-gvwn-8r4r-47gm |
|
| 10 |
| vulnerability |
VCID-hrky-nmnv-g3eu |
|
| 11 |
| vulnerability |
VCID-jzbz-jpe1-cycg |
|
| 12 |
| vulnerability |
VCID-mmth-7rgf-aqfa |
|
| 13 |
| vulnerability |
VCID-mvdz-exud-3ybz |
|
| 14 |
| vulnerability |
VCID-nm42-xrpq-7ued |
|
| 15 |
| vulnerability |
VCID-npge-yn8z-6fac |
|
| 16 |
| vulnerability |
VCID-nztp-y8p8-cqc6 |
|
| 17 |
| vulnerability |
VCID-pdny-erzd-jqhc |
|
| 18 |
| vulnerability |
VCID-qdsq-8td3-5qa1 |
|
| 19 |
| vulnerability |
VCID-renj-v5ce-2khx |
|
| 20 |
| vulnerability |
VCID-vztu-pap6-37ev |
|
| 21 |
| vulnerability |
VCID-wzez-6cmp-n7gn |
|
| 22 |
| vulnerability |
VCID-xgnf-d44x-kfc9 |
|
| 23 |
| vulnerability |
VCID-z9v1-pwvn-2bcy |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.24.3 |
|
| 1 |
| url |
pkg:maven/org.apache.struts/struts2-core@2.3.28 |
| purl |
pkg:maven/org.apache.struts/struts2-core@2.3.28 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1cxn-qv1w-2kh7 |
|
| 1 |
| vulnerability |
VCID-4bm7-hbe1-mfca |
|
| 2 |
| vulnerability |
VCID-4bzw-ges2-d7ek |
|
| 3 |
| vulnerability |
VCID-6dfe-8yy4-kkfj |
|
| 4 |
| vulnerability |
VCID-7hxh-btrk-skhg |
|
| 5 |
| vulnerability |
VCID-7uv9-4vy7-ryd1 |
|
| 6 |
| vulnerability |
VCID-8cmt-z8g9-duf2 |
|
| 7 |
| vulnerability |
VCID-cv6j-98vx-n3ed |
|
| 8 |
| vulnerability |
VCID-dbzr-zyeu-73g8 |
|
| 9 |
| vulnerability |
VCID-dj42-wym9-nbhv |
|
| 10 |
| vulnerability |
VCID-dvxu-9sh6-qbef |
|
| 11 |
| vulnerability |
VCID-gvwn-8r4r-47gm |
|
| 12 |
| vulnerability |
VCID-hrky-nmnv-g3eu |
|
| 13 |
| vulnerability |
VCID-jzbz-jpe1-cycg |
|
| 14 |
| vulnerability |
VCID-mmth-7rgf-aqfa |
|
| 15 |
| vulnerability |
VCID-mvdz-exud-3ybz |
|
| 16 |
| vulnerability |
VCID-nm42-xrpq-7ued |
|
| 17 |
| vulnerability |
VCID-npge-yn8z-6fac |
|
| 18 |
| vulnerability |
VCID-nztp-y8p8-cqc6 |
|
| 19 |
| vulnerability |
VCID-qdsq-8td3-5qa1 |
|
| 20 |
| vulnerability |
VCID-renj-v5ce-2khx |
|
| 21 |
| vulnerability |
VCID-vztu-pap6-37ev |
|
| 22 |
| vulnerability |
VCID-wzez-6cmp-n7gn |
|
| 23 |
| vulnerability |
VCID-z1jy-4da2-tyhk |
|
| 24 |
| vulnerability |
VCID-z9v1-pwvn-2bcy |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.28 |
|
|
| aliases |
CVE-2016-4003, GHSA-m3x6-9v6h-4g28
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9mn7-d2mm-uqay |
|
| 14 |
| url |
VCID-cv6j-98vx-n3ed |
| vulnerability_id |
VCID-cv6j-98vx-n3ed |
| summary |
Path Traversal
In the Convention plugin in Apache Struts, it is possible to prepare a special URL which will be used for path traversal and execution of arbitrary code on server side. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.apache.struts/struts2-core@2.5.5 |
| purl |
pkg:maven/org.apache.struts/struts2-core@2.5.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-21k4-5a8r-7bd9 |
|
| 1 |
| vulnerability |
VCID-4bm7-hbe1-mfca |
|
| 2 |
| vulnerability |
VCID-7hxh-btrk-skhg |
|
| 3 |
| vulnerability |
VCID-7uv9-4vy7-ryd1 |
|
| 4 |
| vulnerability |
VCID-8cmt-z8g9-duf2 |
|
| 5 |
| vulnerability |
VCID-dbzr-zyeu-73g8 |
|
| 6 |
| vulnerability |
VCID-dj42-wym9-nbhv |
|
| 7 |
| vulnerability |
VCID-dvxu-9sh6-qbef |
|
| 8 |
| vulnerability |
VCID-gvwn-8r4r-47gm |
|
| 9 |
| vulnerability |
VCID-hrky-nmnv-g3eu |
|
| 10 |
| vulnerability |
VCID-mmth-7rgf-aqfa |
|
| 11 |
| vulnerability |
VCID-mvdz-exud-3ybz |
|
| 12 |
| vulnerability |
VCID-nm42-xrpq-7ued |
|
| 13 |
| vulnerability |
VCID-nztp-y8p8-cqc6 |
|
| 14 |
| vulnerability |
VCID-renj-v5ce-2khx |
|
| 15 |
| vulnerability |
VCID-vztu-pap6-37ev |
|
| 16 |
| vulnerability |
VCID-wzez-6cmp-n7gn |
|
| 17 |
| vulnerability |
VCID-ybuw-727z-r3eb |
|
| 18 |
| vulnerability |
VCID-z9v1-pwvn-2bcy |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.5.5 |
|
|
| aliases |
CVE-2016-6795, GHSA-44hv-jjx7-qfjg
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-cv6j-98vx-n3ed |
|
| 15 |
| url |
VCID-dbzr-zyeu-73g8 |
| vulnerability_id |
VCID-dbzr-zyeu-73g8 |
| summary |
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2021-31805, GHSA-v8j6-6c2r-r27c
|
| risk_score |
10.0 |
| exploitability |
2.0 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-dbzr-zyeu-73g8 |
|
| 16 |
| url |
VCID-dj42-wym9-nbhv |
| vulnerability_id |
VCID-dj42-wym9-nbhv |
| summary |
Improper Input Validation
The Apache Struts REST Plugin XStream library allow attackers to perform a DoS attack when using a malicious request with specially crafted XML payload. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
|
| fixed_packages |
|
| aliases |
CVE-2018-1327, GHSA-38cr-2ph5-frr9
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-dj42-wym9-nbhv |
|
| 17 |
| url |
VCID-dvxu-9sh6-qbef |
| vulnerability_id |
VCID-dvxu-9sh6-qbef |
| summary |
Improper Input Validation
Using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.apache.struts/struts2-core@2.3.20.3 |
| purl |
pkg:maven/org.apache.struts/struts2-core@2.3.20.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-4bm7-hbe1-mfca |
|
| 1 |
| vulnerability |
VCID-4bzw-ges2-d7ek |
|
| 2 |
| vulnerability |
VCID-7hxh-btrk-skhg |
|
| 3 |
| vulnerability |
VCID-7uv9-4vy7-ryd1 |
|
| 4 |
| vulnerability |
VCID-8cmt-z8g9-duf2 |
|
| 5 |
| vulnerability |
VCID-9mn7-d2mm-uqay |
|
| 6 |
| vulnerability |
VCID-cv6j-98vx-n3ed |
|
| 7 |
| vulnerability |
VCID-dbzr-zyeu-73g8 |
|
| 8 |
| vulnerability |
VCID-dj42-wym9-nbhv |
|
| 9 |
| vulnerability |
VCID-fwkj-x53j-yqd8 |
|
| 10 |
| vulnerability |
VCID-gvwn-8r4r-47gm |
|
| 11 |
| vulnerability |
VCID-jzbz-jpe1-cycg |
|
| 12 |
| vulnerability |
VCID-mmth-7rgf-aqfa |
|
| 13 |
| vulnerability |
VCID-mvdz-exud-3ybz |
|
| 14 |
| vulnerability |
VCID-nm42-xrpq-7ued |
|
| 15 |
| vulnerability |
VCID-npge-yn8z-6fac |
|
| 16 |
| vulnerability |
VCID-nztp-y8p8-cqc6 |
|
| 17 |
| vulnerability |
VCID-pdny-erzd-jqhc |
|
| 18 |
| vulnerability |
VCID-q2ad-khtm-nqdr |
|
| 19 |
| vulnerability |
VCID-qdsq-8td3-5qa1 |
|
| 20 |
| vulnerability |
VCID-renj-v5ce-2khx |
|
| 21 |
| vulnerability |
VCID-vztu-pap6-37ev |
|
| 22 |
| vulnerability |
VCID-wzez-6cmp-n7gn |
|
| 23 |
| vulnerability |
VCID-xgnf-d44x-kfc9 |
|
| 24 |
| vulnerability |
VCID-z9v1-pwvn-2bcy |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.20.3 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
|
| aliases |
CVE-2017-12611, GHSA-8fx9-5hx8-crhm
|
| risk_score |
10.0 |
| exploitability |
2.0 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-dvxu-9sh6-qbef |
|
| 18 |
| url |
VCID-fvde-37ch-z7cg |
| vulnerability_id |
VCID-fvde-37ch-z7cg |
| summary |
XSS via malicious action parameter
Multiple cross-site scripting (XSS) vulnerabilities in this package allow remote attackers to inject arbitrary web script or HTML via the namespace parameter to `actionNames.action` and `showConfig.action` in `config-browser/`. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.apache.struts/struts2-core@2.3.16 |
| purl |
pkg:maven/org.apache.struts/struts2-core@2.3.16 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1uv2-rvmy-53hk |
|
| 1 |
| vulnerability |
VCID-4bm7-hbe1-mfca |
|
| 2 |
| vulnerability |
VCID-4bzw-ges2-d7ek |
|
| 3 |
| vulnerability |
VCID-4ywn-n1my-83ev |
|
| 4 |
| vulnerability |
VCID-7hxh-btrk-skhg |
|
| 5 |
| vulnerability |
VCID-7uv9-4vy7-ryd1 |
|
| 6 |
| vulnerability |
VCID-84ge-vq7u-j3ar |
|
| 7 |
| vulnerability |
VCID-8cmt-z8g9-duf2 |
|
| 8 |
| vulnerability |
VCID-8jup-umjw-9ba4 |
|
| 9 |
| vulnerability |
VCID-9mn7-d2mm-uqay |
|
| 10 |
| vulnerability |
VCID-cv6j-98vx-n3ed |
|
| 11 |
| vulnerability |
VCID-dbzr-zyeu-73g8 |
|
| 12 |
| vulnerability |
VCID-dj42-wym9-nbhv |
|
| 13 |
| vulnerability |
VCID-dvxu-9sh6-qbef |
|
| 14 |
| vulnerability |
VCID-fwkj-x53j-yqd8 |
|
| 15 |
| vulnerability |
VCID-ghqg-ae1b-w7br |
|
| 16 |
| vulnerability |
VCID-gvwn-8r4r-47gm |
|
| 17 |
| vulnerability |
VCID-hrky-nmnv-g3eu |
|
| 18 |
| vulnerability |
VCID-jzbz-jpe1-cycg |
|
| 19 |
| vulnerability |
VCID-m39c-3bv2-6ugy |
|
| 20 |
| vulnerability |
VCID-mmth-7rgf-aqfa |
|
| 21 |
| vulnerability |
VCID-mvdz-exud-3ybz |
|
| 22 |
| vulnerability |
VCID-nm42-xrpq-7ued |
|
| 23 |
| vulnerability |
VCID-npge-yn8z-6fac |
|
| 24 |
| vulnerability |
VCID-nztp-y8p8-cqc6 |
|
| 25 |
| vulnerability |
VCID-pdny-erzd-jqhc |
|
| 26 |
| vulnerability |
VCID-q2ad-khtm-nqdr |
|
| 27 |
| vulnerability |
VCID-renj-v5ce-2khx |
|
| 28 |
| vulnerability |
VCID-t1s3-f181-tqca |
|
| 29 |
| vulnerability |
VCID-vztu-pap6-37ev |
|
| 30 |
| vulnerability |
VCID-wtca-5ffw-w7bc |
|
| 31 |
| vulnerability |
VCID-wzez-6cmp-n7gn |
|
| 32 |
| vulnerability |
VCID-xgnf-d44x-kfc9 |
|
| 33 |
| vulnerability |
VCID-z1jy-4da2-tyhk |
|
| 34 |
| vulnerability |
VCID-z9v1-pwvn-2bcy |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.16 |
|
|
| aliases |
CVE-2013-6348, GHSA-3g8j-jj54-3vjg
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-fvde-37ch-z7cg |
|
| 19 |
| url |
VCID-fwkj-x53j-yqd8 |
| vulnerability_id |
VCID-fwkj-x53j-yqd8 |
| summary |
Manipulation of Struts internals
This package allows remote attackers to manipulate Struts internals, alter user sessions, or affect container settings via vectors involving a top object. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.apache.struts/struts2-core@2.3.24.1 |
| purl |
pkg:maven/org.apache.struts/struts2-core@2.3.24.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1cxn-qv1w-2kh7 |
|
| 1 |
| vulnerability |
VCID-4bm7-hbe1-mfca |
|
| 2 |
| vulnerability |
VCID-4bzw-ges2-d7ek |
|
| 3 |
| vulnerability |
VCID-6dfe-8yy4-kkfj |
|
| 4 |
| vulnerability |
VCID-7hxh-btrk-skhg |
|
| 5 |
| vulnerability |
VCID-7uv9-4vy7-ryd1 |
|
| 6 |
| vulnerability |
VCID-8cmt-z8g9-duf2 |
|
| 7 |
| vulnerability |
VCID-9mn7-d2mm-uqay |
|
| 8 |
| vulnerability |
VCID-cv6j-98vx-n3ed |
|
| 9 |
| vulnerability |
VCID-dbzr-zyeu-73g8 |
|
| 10 |
| vulnerability |
VCID-dj42-wym9-nbhv |
|
| 11 |
| vulnerability |
VCID-gvwn-8r4r-47gm |
|
| 12 |
| vulnerability |
VCID-jzbz-jpe1-cycg |
|
| 13 |
| vulnerability |
VCID-mmth-7rgf-aqfa |
|
| 14 |
| vulnerability |
VCID-mvdz-exud-3ybz |
|
| 15 |
| vulnerability |
VCID-nm42-xrpq-7ued |
|
| 16 |
| vulnerability |
VCID-npge-yn8z-6fac |
|
| 17 |
| vulnerability |
VCID-nztp-y8p8-cqc6 |
|
| 18 |
| vulnerability |
VCID-pdny-erzd-jqhc |
|
| 19 |
| vulnerability |
VCID-q2ad-khtm-nqdr |
|
| 20 |
| vulnerability |
VCID-qdsq-8td3-5qa1 |
|
| 21 |
| vulnerability |
VCID-renj-v5ce-2khx |
|
| 22 |
| vulnerability |
VCID-vztu-pap6-37ev |
|
| 23 |
| vulnerability |
VCID-wzez-6cmp-n7gn |
|
| 24 |
| vulnerability |
VCID-xgnf-d44x-kfc9 |
|
| 25 |
| vulnerability |
VCID-z1jy-4da2-tyhk |
|
| 26 |
| vulnerability |
VCID-z9v1-pwvn-2bcy |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.24.1 |
|
|
| aliases |
CVE-2015-5209, GHSA-4qgj-9mvg-3929
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-fwkj-x53j-yqd8 |
|
| 20 |
| url |
VCID-ghqg-ae1b-w7br |
| vulnerability_id |
VCID-ghqg-ae1b-w7br |
| summary |
Classloader manipulation via CookieInterceptor
CookieInterceptor in this package, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and modify session state via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0113. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.apache.struts/struts2-core@2.3.16.3 |
| purl |
pkg:maven/org.apache.struts/struts2-core@2.3.16.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-4bm7-hbe1-mfca |
|
| 1 |
| vulnerability |
VCID-4bzw-ges2-d7ek |
|
| 2 |
| vulnerability |
VCID-4ywn-n1my-83ev |
|
| 3 |
| vulnerability |
VCID-7hxh-btrk-skhg |
|
| 4 |
| vulnerability |
VCID-7uv9-4vy7-ryd1 |
|
| 5 |
| vulnerability |
VCID-8cmt-z8g9-duf2 |
|
| 6 |
| vulnerability |
VCID-9mn7-d2mm-uqay |
|
| 7 |
| vulnerability |
VCID-cv6j-98vx-n3ed |
|
| 8 |
| vulnerability |
VCID-dbzr-zyeu-73g8 |
|
| 9 |
| vulnerability |
VCID-dj42-wym9-nbhv |
|
| 10 |
| vulnerability |
VCID-dvxu-9sh6-qbef |
|
| 11 |
| vulnerability |
VCID-fwkj-x53j-yqd8 |
|
| 12 |
| vulnerability |
VCID-gvwn-8r4r-47gm |
|
| 13 |
| vulnerability |
VCID-hrky-nmnv-g3eu |
|
| 14 |
| vulnerability |
VCID-jzbz-jpe1-cycg |
|
| 15 |
| vulnerability |
VCID-m39c-3bv2-6ugy |
|
| 16 |
| vulnerability |
VCID-mmth-7rgf-aqfa |
|
| 17 |
| vulnerability |
VCID-mvdz-exud-3ybz |
|
| 18 |
| vulnerability |
VCID-nm42-xrpq-7ued |
|
| 19 |
| vulnerability |
VCID-npge-yn8z-6fac |
|
| 20 |
| vulnerability |
VCID-nztp-y8p8-cqc6 |
|
| 21 |
| vulnerability |
VCID-pdny-erzd-jqhc |
|
| 22 |
| vulnerability |
VCID-q2ad-khtm-nqdr |
|
| 23 |
| vulnerability |
VCID-renj-v5ce-2khx |
|
| 24 |
| vulnerability |
VCID-t1s3-f181-tqca |
|
| 25 |
| vulnerability |
VCID-vztu-pap6-37ev |
|
| 26 |
| vulnerability |
VCID-wtca-5ffw-w7bc |
|
| 27 |
| vulnerability |
VCID-wzez-6cmp-n7gn |
|
| 28 |
| vulnerability |
VCID-xgnf-d44x-kfc9 |
|
| 29 |
| vulnerability |
VCID-z1jy-4da2-tyhk |
|
| 30 |
| vulnerability |
VCID-z9v1-pwvn-2bcy |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.16.3 |
|
| 1 |
| url |
pkg:maven/org.apache.struts/struts2-core@2.3.20 |
| purl |
pkg:maven/org.apache.struts/struts2-core@2.3.20 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1cxn-qv1w-2kh7 |
|
| 1 |
| vulnerability |
VCID-4bm7-hbe1-mfca |
|
| 2 |
| vulnerability |
VCID-4bzw-ges2-d7ek |
|
| 3 |
| vulnerability |
VCID-4t8h-s9mh-p7c4 |
|
| 4 |
| vulnerability |
VCID-6dfe-8yy4-kkfj |
|
| 5 |
| vulnerability |
VCID-7hxh-btrk-skhg |
|
| 6 |
| vulnerability |
VCID-7uv9-4vy7-ryd1 |
|
| 7 |
| vulnerability |
VCID-8cmt-z8g9-duf2 |
|
| 8 |
| vulnerability |
VCID-9mn7-d2mm-uqay |
|
| 9 |
| vulnerability |
VCID-cv6j-98vx-n3ed |
|
| 10 |
| vulnerability |
VCID-dbzr-zyeu-73g8 |
|
| 11 |
| vulnerability |
VCID-dj42-wym9-nbhv |
|
| 12 |
| vulnerability |
VCID-dvxu-9sh6-qbef |
|
| 13 |
| vulnerability |
VCID-fwkj-x53j-yqd8 |
|
| 14 |
| vulnerability |
VCID-gvwn-8r4r-47gm |
|
| 15 |
| vulnerability |
VCID-hrky-nmnv-g3eu |
|
| 16 |
| vulnerability |
VCID-jzbz-jpe1-cycg |
|
| 17 |
| vulnerability |
VCID-mmth-7rgf-aqfa |
|
| 18 |
| vulnerability |
VCID-mvdz-exud-3ybz |
|
| 19 |
| vulnerability |
VCID-nm42-xrpq-7ued |
|
| 20 |
| vulnerability |
VCID-npge-yn8z-6fac |
|
| 21 |
| vulnerability |
VCID-nztp-y8p8-cqc6 |
|
| 22 |
| vulnerability |
VCID-pdny-erzd-jqhc |
|
| 23 |
| vulnerability |
VCID-q2ad-khtm-nqdr |
|
| 24 |
| vulnerability |
VCID-qdsq-8td3-5qa1 |
|
| 25 |
| vulnerability |
VCID-renj-v5ce-2khx |
|
| 26 |
| vulnerability |
VCID-vztu-pap6-37ev |
|
| 27 |
| vulnerability |
VCID-wzez-6cmp-n7gn |
|
| 28 |
| vulnerability |
VCID-xgnf-d44x-kfc9 |
|
| 29 |
| vulnerability |
VCID-z1jy-4da2-tyhk |
|
| 30 |
| vulnerability |
VCID-z9v1-pwvn-2bcy |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.20 |
|
|
| aliases |
CVE-2014-0116, GHSA-hmhq-382q-mp56
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ghqg-ae1b-w7br |
|
| 21 |
| url |
VCID-gvwn-8r4r-47gm |
| vulnerability_id |
VCID-gvwn-8r4r-47gm |
| summary |
Apache Struts has a Denial of Service vulnerability
Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion.
This issue affects Apache Struts: from 2.0.0 through 6.7.4, from 7.0.0 through 7.0.3.
Users are recommended to upgrade to version 6.8.0 or 7.1.1, which fixes the issue. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2025-66675, GHSA-rg58-xhh7-mqjw
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gvwn-8r4r-47gm |
|
| 22 |
| url |
VCID-hrky-nmnv-g3eu |
| vulnerability_id |
VCID-hrky-nmnv-g3eu |
| summary |
Improper Input Validation
If an application allows entering a URL in a form field and built-in `URLValidator` is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.apache.struts/struts2-core@2.3.20.3 |
| purl |
pkg:maven/org.apache.struts/struts2-core@2.3.20.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-4bm7-hbe1-mfca |
|
| 1 |
| vulnerability |
VCID-4bzw-ges2-d7ek |
|
| 2 |
| vulnerability |
VCID-7hxh-btrk-skhg |
|
| 3 |
| vulnerability |
VCID-7uv9-4vy7-ryd1 |
|
| 4 |
| vulnerability |
VCID-8cmt-z8g9-duf2 |
|
| 5 |
| vulnerability |
VCID-9mn7-d2mm-uqay |
|
| 6 |
| vulnerability |
VCID-cv6j-98vx-n3ed |
|
| 7 |
| vulnerability |
VCID-dbzr-zyeu-73g8 |
|
| 8 |
| vulnerability |
VCID-dj42-wym9-nbhv |
|
| 9 |
| vulnerability |
VCID-fwkj-x53j-yqd8 |
|
| 10 |
| vulnerability |
VCID-gvwn-8r4r-47gm |
|
| 11 |
| vulnerability |
VCID-jzbz-jpe1-cycg |
|
| 12 |
| vulnerability |
VCID-mmth-7rgf-aqfa |
|
| 13 |
| vulnerability |
VCID-mvdz-exud-3ybz |
|
| 14 |
| vulnerability |
VCID-nm42-xrpq-7ued |
|
| 15 |
| vulnerability |
VCID-npge-yn8z-6fac |
|
| 16 |
| vulnerability |
VCID-nztp-y8p8-cqc6 |
|
| 17 |
| vulnerability |
VCID-pdny-erzd-jqhc |
|
| 18 |
| vulnerability |
VCID-q2ad-khtm-nqdr |
|
| 19 |
| vulnerability |
VCID-qdsq-8td3-5qa1 |
|
| 20 |
| vulnerability |
VCID-renj-v5ce-2khx |
|
| 21 |
| vulnerability |
VCID-vztu-pap6-37ev |
|
| 22 |
| vulnerability |
VCID-wzez-6cmp-n7gn |
|
| 23 |
| vulnerability |
VCID-xgnf-d44x-kfc9 |
|
| 24 |
| vulnerability |
VCID-z9v1-pwvn-2bcy |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.20.3 |
|
| 1 |
| url |
pkg:maven/org.apache.struts/struts2-core@2.3.24 |
| purl |
pkg:maven/org.apache.struts/struts2-core@2.3.24 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1cxn-qv1w-2kh7 |
|
| 1 |
| vulnerability |
VCID-4bm7-hbe1-mfca |
|
| 2 |
| vulnerability |
VCID-4bzw-ges2-d7ek |
|
| 3 |
| vulnerability |
VCID-6dfe-8yy4-kkfj |
|
| 4 |
| vulnerability |
VCID-7hxh-btrk-skhg |
|
| 5 |
| vulnerability |
VCID-7uv9-4vy7-ryd1 |
|
| 6 |
| vulnerability |
VCID-8cmt-z8g9-duf2 |
|
| 7 |
| vulnerability |
VCID-9mn7-d2mm-uqay |
|
| 8 |
| vulnerability |
VCID-cv6j-98vx-n3ed |
|
| 9 |
| vulnerability |
VCID-dbzr-zyeu-73g8 |
|
| 10 |
| vulnerability |
VCID-dj42-wym9-nbhv |
|
| 11 |
| vulnerability |
VCID-fwkj-x53j-yqd8 |
|
| 12 |
| vulnerability |
VCID-gvwn-8r4r-47gm |
|
| 13 |
| vulnerability |
VCID-jzbz-jpe1-cycg |
|
| 14 |
| vulnerability |
VCID-mmth-7rgf-aqfa |
|
| 15 |
| vulnerability |
VCID-mvdz-exud-3ybz |
|
| 16 |
| vulnerability |
VCID-nm42-xrpq-7ued |
|
| 17 |
| vulnerability |
VCID-npge-yn8z-6fac |
|
| 18 |
| vulnerability |
VCID-nztp-y8p8-cqc6 |
|
| 19 |
| vulnerability |
VCID-pdny-erzd-jqhc |
|
| 20 |
| vulnerability |
VCID-q2ad-khtm-nqdr |
|
| 21 |
| vulnerability |
VCID-qdsq-8td3-5qa1 |
|
| 22 |
| vulnerability |
VCID-renj-v5ce-2khx |
|
| 23 |
| vulnerability |
VCID-vztu-pap6-37ev |
|
| 24 |
| vulnerability |
VCID-wzez-6cmp-n7gn |
|
| 25 |
| vulnerability |
VCID-xgnf-d44x-kfc9 |
|
| 26 |
| vulnerability |
VCID-z1jy-4da2-tyhk |
|
| 27 |
| vulnerability |
VCID-z9v1-pwvn-2bcy |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.24 |
|
| 2 |
|
| 3 |
|
|
| aliases |
CVE-2017-9804, GHSA-x5x7-3v85-wpc4
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-hrky-nmnv-g3eu |
|
| 23 |
| url |
VCID-jzbz-jpe1-cycg |
| vulnerability_id |
VCID-jzbz-jpe1-cycg |
| summary |
Apache Struts improper action name cleanup
Apache Struts 2 before 2.3.29 and 2.5.x before 2.5.1 allow attackers to have unspecified impact via vectors related to improper action name clean up. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.apache.struts/struts2-core@2.5.1 |
| purl |
pkg:maven/org.apache.struts/struts2-core@2.5.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-21k4-5a8r-7bd9 |
|
| 1 |
| vulnerability |
VCID-4bm7-hbe1-mfca |
|
| 2 |
| vulnerability |
VCID-7hxh-btrk-skhg |
|
| 3 |
| vulnerability |
VCID-7uv9-4vy7-ryd1 |
|
| 4 |
| vulnerability |
VCID-8cmt-z8g9-duf2 |
|
| 5 |
| vulnerability |
VCID-cv6j-98vx-n3ed |
|
| 6 |
| vulnerability |
VCID-dbzr-zyeu-73g8 |
|
| 7 |
| vulnerability |
VCID-dj42-wym9-nbhv |
|
| 8 |
| vulnerability |
VCID-dvxu-9sh6-qbef |
|
| 9 |
| vulnerability |
VCID-gvwn-8r4r-47gm |
|
| 10 |
| vulnerability |
VCID-hrky-nmnv-g3eu |
|
| 11 |
| vulnerability |
VCID-mmth-7rgf-aqfa |
|
| 12 |
| vulnerability |
VCID-mvdz-exud-3ybz |
|
| 13 |
| vulnerability |
VCID-nm42-xrpq-7ued |
|
| 14 |
| vulnerability |
VCID-nztp-y8p8-cqc6 |
|
| 15 |
| vulnerability |
VCID-renj-v5ce-2khx |
|
| 16 |
| vulnerability |
VCID-vztu-pap6-37ev |
|
| 17 |
| vulnerability |
VCID-wzez-6cmp-n7gn |
|
| 18 |
| vulnerability |
VCID-ybuw-727z-r3eb |
|
| 19 |
| vulnerability |
VCID-z9v1-pwvn-2bcy |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.5.1 |
|
|
| aliases |
CVE-2016-4436, GHSA-xm92-v2mq-842q
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jzbz-jpe1-cycg |
|
| 24 |
| url |
VCID-kmqa-hsqy-muf1 |
| vulnerability_id |
VCID-kmqa-hsqy-muf1 |
| summary |
Broken Access Control Vulnerability
This package allows remote attackers to bypass access controls via a crafted action: `prefix`. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.apache.struts/struts2-core@2.3.15.3 |
| purl |
pkg:maven/org.apache.struts/struts2-core@2.3.15.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1uv2-rvmy-53hk |
|
| 1 |
| vulnerability |
VCID-4bm7-hbe1-mfca |
|
| 2 |
| vulnerability |
VCID-4bzw-ges2-d7ek |
|
| 3 |
| vulnerability |
VCID-4ywn-n1my-83ev |
|
| 4 |
| vulnerability |
VCID-7hxh-btrk-skhg |
|
| 5 |
| vulnerability |
VCID-7uv9-4vy7-ryd1 |
|
| 6 |
| vulnerability |
VCID-84ge-vq7u-j3ar |
|
| 7 |
| vulnerability |
VCID-8cmt-z8g9-duf2 |
|
| 8 |
| vulnerability |
VCID-8jup-umjw-9ba4 |
|
| 9 |
| vulnerability |
VCID-9mn7-d2mm-uqay |
|
| 10 |
| vulnerability |
VCID-cv6j-98vx-n3ed |
|
| 11 |
| vulnerability |
VCID-dbzr-zyeu-73g8 |
|
| 12 |
| vulnerability |
VCID-dj42-wym9-nbhv |
|
| 13 |
| vulnerability |
VCID-dvxu-9sh6-qbef |
|
| 14 |
| vulnerability |
VCID-fvde-37ch-z7cg |
|
| 15 |
| vulnerability |
VCID-fwkj-x53j-yqd8 |
|
| 16 |
| vulnerability |
VCID-ghqg-ae1b-w7br |
|
| 17 |
| vulnerability |
VCID-gvwn-8r4r-47gm |
|
| 18 |
| vulnerability |
VCID-hrky-nmnv-g3eu |
|
| 19 |
| vulnerability |
VCID-jzbz-jpe1-cycg |
|
| 20 |
| vulnerability |
VCID-m39c-3bv2-6ugy |
|
| 21 |
| vulnerability |
VCID-mmth-7rgf-aqfa |
|
| 22 |
| vulnerability |
VCID-mvdz-exud-3ybz |
|
| 23 |
| vulnerability |
VCID-nm42-xrpq-7ued |
|
| 24 |
| vulnerability |
VCID-npge-yn8z-6fac |
|
| 25 |
| vulnerability |
VCID-nztp-y8p8-cqc6 |
|
| 26 |
| vulnerability |
VCID-pdny-erzd-jqhc |
|
| 27 |
| vulnerability |
VCID-q2ad-khtm-nqdr |
|
| 28 |
| vulnerability |
VCID-renj-v5ce-2khx |
|
| 29 |
| vulnerability |
VCID-t1s3-f181-tqca |
|
| 30 |
| vulnerability |
VCID-vztu-pap6-37ev |
|
| 31 |
| vulnerability |
VCID-wtca-5ffw-w7bc |
|
| 32 |
| vulnerability |
VCID-wzez-6cmp-n7gn |
|
| 33 |
| vulnerability |
VCID-xgnf-d44x-kfc9 |
|
| 34 |
| vulnerability |
VCID-z1jy-4da2-tyhk |
|
| 35 |
| vulnerability |
VCID-z9v1-pwvn-2bcy |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.15.3 |
|
|
| aliases |
CVE-2013-4310, GHSA-q5q8-jghf-3pm3
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-kmqa-hsqy-muf1 |
|
| 25 |
| url |
VCID-m39c-3bv2-6ugy |
| vulnerability_id |
VCID-m39c-3bv2-6ugy |
| summary |
Cross-Site Scripting vulnerability on "Problem Report" screen
When Debug mode is turned on, under certain conditions an arbitrary script may be executed in the `Problem Report` screen. Also if JSP files are exposed to be accessed directly it's possible to execute an arbitrary script. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.apache.struts/struts2-core@2.3.20 |
| purl |
pkg:maven/org.apache.struts/struts2-core@2.3.20 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1cxn-qv1w-2kh7 |
|
| 1 |
| vulnerability |
VCID-4bm7-hbe1-mfca |
|
| 2 |
| vulnerability |
VCID-4bzw-ges2-d7ek |
|
| 3 |
| vulnerability |
VCID-4t8h-s9mh-p7c4 |
|
| 4 |
| vulnerability |
VCID-6dfe-8yy4-kkfj |
|
| 5 |
| vulnerability |
VCID-7hxh-btrk-skhg |
|
| 6 |
| vulnerability |
VCID-7uv9-4vy7-ryd1 |
|
| 7 |
| vulnerability |
VCID-8cmt-z8g9-duf2 |
|
| 8 |
| vulnerability |
VCID-9mn7-d2mm-uqay |
|
| 9 |
| vulnerability |
VCID-cv6j-98vx-n3ed |
|
| 10 |
| vulnerability |
VCID-dbzr-zyeu-73g8 |
|
| 11 |
| vulnerability |
VCID-dj42-wym9-nbhv |
|
| 12 |
| vulnerability |
VCID-dvxu-9sh6-qbef |
|
| 13 |
| vulnerability |
VCID-fwkj-x53j-yqd8 |
|
| 14 |
| vulnerability |
VCID-gvwn-8r4r-47gm |
|
| 15 |
| vulnerability |
VCID-hrky-nmnv-g3eu |
|
| 16 |
| vulnerability |
VCID-jzbz-jpe1-cycg |
|
| 17 |
| vulnerability |
VCID-mmth-7rgf-aqfa |
|
| 18 |
| vulnerability |
VCID-mvdz-exud-3ybz |
|
| 19 |
| vulnerability |
VCID-nm42-xrpq-7ued |
|
| 20 |
| vulnerability |
VCID-npge-yn8z-6fac |
|
| 21 |
| vulnerability |
VCID-nztp-y8p8-cqc6 |
|
| 22 |
| vulnerability |
VCID-pdny-erzd-jqhc |
|
| 23 |
| vulnerability |
VCID-q2ad-khtm-nqdr |
|
| 24 |
| vulnerability |
VCID-qdsq-8td3-5qa1 |
|
| 25 |
| vulnerability |
VCID-renj-v5ce-2khx |
|
| 26 |
| vulnerability |
VCID-vztu-pap6-37ev |
|
| 27 |
| vulnerability |
VCID-wzez-6cmp-n7gn |
|
| 28 |
| vulnerability |
VCID-xgnf-d44x-kfc9 |
|
| 29 |
| vulnerability |
VCID-z1jy-4da2-tyhk |
|
| 30 |
| vulnerability |
VCID-z9v1-pwvn-2bcy |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.20 |
|
|
| aliases |
CVE-2015-5169, GHSA-vwhv-j36g-5rm8
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-m39c-3bv2-6ugy |
|
| 26 |
| url |
VCID-mmth-7rgf-aqfa |
| vulnerability_id |
VCID-mmth-7rgf-aqfa |
| summary |
Uncontrolled Resource Consumption
When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
|
| aliases |
CVE-2017-9787, GHSA-8mr5-h28g-36qx
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-mmth-7rgf-aqfa |
|
| 27 |
| url |
VCID-mvdz-exud-3ybz |
| vulnerability_id |
VCID-mvdz-exud-3ybz |
| summary |
Files or Directories Accessible to External Parties
An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.
Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2023-50164, GHSA-2j39-qcjm-428w
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-mvdz-exud-3ybz |
|
| 28 |
|
| 29 |
| url |
VCID-npge-yn8z-6fac |
| vulnerability_id |
VCID-npge-yn8z-6fac |
| summary |
Improper Input Validation
The REST plugin in Apache Struts 2, allows remote attackers to execute arbitrary code via a crafted expression. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2016-4438, GHSA-4prj-vw9j-v6pr
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-npge-yn8z-6fac |
|
| 30 |
| url |
VCID-nztp-y8p8-cqc6 |
| vulnerability_id |
VCID-nztp-y8p8-cqc6 |
| summary |
Remote code execution in Apache Struts
Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. |
| references |
| 0 |
| reference_url |
http://jvn.jp/en/jp/JVN43969166/index.html |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H |
|
| 1 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Act |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-06T20:53:17Z/ |
|
|
| url |
http://jvn.jp/en/jp/JVN43969166/index.html |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://cwiki.apache.org/confluence/display/WW/S2-061 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H |
|
| 1 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Act |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-06T20:53:17Z/ |
|
|
| url |
https://cwiki.apache.org/confluence/display/WW/S2-061 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
|
| fixed_packages |
|
| aliases |
CVE-2020-17530, GHSA-jc35-q369-45pv
|
| risk_score |
10.0 |
| exploitability |
2.0 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-nztp-y8p8-cqc6 |
|
| 31 |
| url |
VCID-pdny-erzd-jqhc |
| vulnerability_id |
VCID-pdny-erzd-jqhc |
| summary |
Apache Struts XSS Vulnerability
Apache Struts 2.x before 2.3.28 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors involving language display. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.apache.struts/struts2-core@2.3.28 |
| purl |
pkg:maven/org.apache.struts/struts2-core@2.3.28 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1cxn-qv1w-2kh7 |
|
| 1 |
| vulnerability |
VCID-4bm7-hbe1-mfca |
|
| 2 |
| vulnerability |
VCID-4bzw-ges2-d7ek |
|
| 3 |
| vulnerability |
VCID-6dfe-8yy4-kkfj |
|
| 4 |
| vulnerability |
VCID-7hxh-btrk-skhg |
|
| 5 |
| vulnerability |
VCID-7uv9-4vy7-ryd1 |
|
| 6 |
| vulnerability |
VCID-8cmt-z8g9-duf2 |
|
| 7 |
| vulnerability |
VCID-cv6j-98vx-n3ed |
|
| 8 |
| vulnerability |
VCID-dbzr-zyeu-73g8 |
|
| 9 |
| vulnerability |
VCID-dj42-wym9-nbhv |
|
| 10 |
| vulnerability |
VCID-dvxu-9sh6-qbef |
|
| 11 |
| vulnerability |
VCID-gvwn-8r4r-47gm |
|
| 12 |
| vulnerability |
VCID-hrky-nmnv-g3eu |
|
| 13 |
| vulnerability |
VCID-jzbz-jpe1-cycg |
|
| 14 |
| vulnerability |
VCID-mmth-7rgf-aqfa |
|
| 15 |
| vulnerability |
VCID-mvdz-exud-3ybz |
|
| 16 |
| vulnerability |
VCID-nm42-xrpq-7ued |
|
| 17 |
| vulnerability |
VCID-npge-yn8z-6fac |
|
| 18 |
| vulnerability |
VCID-nztp-y8p8-cqc6 |
|
| 19 |
| vulnerability |
VCID-qdsq-8td3-5qa1 |
|
| 20 |
| vulnerability |
VCID-renj-v5ce-2khx |
|
| 21 |
| vulnerability |
VCID-vztu-pap6-37ev |
|
| 22 |
| vulnerability |
VCID-wzez-6cmp-n7gn |
|
| 23 |
| vulnerability |
VCID-z1jy-4da2-tyhk |
|
| 24 |
| vulnerability |
VCID-z9v1-pwvn-2bcy |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.28 |
|
|
| aliases |
CVE-2016-2162, GHSA-2j4q-9fff-236j
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-pdny-erzd-jqhc |
|
| 32 |
| url |
VCID-q2ad-khtm-nqdr |
| vulnerability_id |
VCID-q2ad-khtm-nqdr |
| summary |
Improper Input Validation
Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.apache.struts/struts2-core@2.3.24.3 |
| purl |
pkg:maven/org.apache.struts/struts2-core@2.3.24.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-4bm7-hbe1-mfca |
|
| 1 |
| vulnerability |
VCID-4bzw-ges2-d7ek |
|
| 2 |
| vulnerability |
VCID-7hxh-btrk-skhg |
|
| 3 |
| vulnerability |
VCID-7uv9-4vy7-ryd1 |
|
| 4 |
| vulnerability |
VCID-8cmt-z8g9-duf2 |
|
| 5 |
| vulnerability |
VCID-cv6j-98vx-n3ed |
|
| 6 |
| vulnerability |
VCID-dbzr-zyeu-73g8 |
|
| 7 |
| vulnerability |
VCID-dj42-wym9-nbhv |
|
| 8 |
| vulnerability |
VCID-dvxu-9sh6-qbef |
|
| 9 |
| vulnerability |
VCID-gvwn-8r4r-47gm |
|
| 10 |
| vulnerability |
VCID-hrky-nmnv-g3eu |
|
| 11 |
| vulnerability |
VCID-jzbz-jpe1-cycg |
|
| 12 |
| vulnerability |
VCID-mmth-7rgf-aqfa |
|
| 13 |
| vulnerability |
VCID-mvdz-exud-3ybz |
|
| 14 |
| vulnerability |
VCID-nm42-xrpq-7ued |
|
| 15 |
| vulnerability |
VCID-npge-yn8z-6fac |
|
| 16 |
| vulnerability |
VCID-nztp-y8p8-cqc6 |
|
| 17 |
| vulnerability |
VCID-pdny-erzd-jqhc |
|
| 18 |
| vulnerability |
VCID-qdsq-8td3-5qa1 |
|
| 19 |
| vulnerability |
VCID-renj-v5ce-2khx |
|
| 20 |
| vulnerability |
VCID-vztu-pap6-37ev |
|
| 21 |
| vulnerability |
VCID-wzez-6cmp-n7gn |
|
| 22 |
| vulnerability |
VCID-xgnf-d44x-kfc9 |
|
| 23 |
| vulnerability |
VCID-z9v1-pwvn-2bcy |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.24.3 |
|
|
| aliases |
CVE-2016-3093, GHSA-383p-xqxx-rrmp
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-q2ad-khtm-nqdr |
|
| 33 |
| url |
VCID-renj-v5ce-2khx |
| vulnerability_id |
VCID-renj-v5ce-2khx |
| summary |
Apache Struts vulnerable to memory exhaustion
Denial of service via out of memory (OOM) owing to no sanity limit on normal form fields in multipart forms. When a Multipart request has non-file normal form fields, Struts used to bring them into memory as Strings without checking their sizes. This could lead to an OOM if developer has set struts.multipart.maxSize to a value equal or greater than the available memory.
Upgrade to Struts 2.5.31 or 6.1.2.1 or greater |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2023-34396, GHSA-4g42-gqrg-4633
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-renj-v5ce-2khx |
|
| 34 |
| url |
VCID-t1s3-f181-tqca |
| vulnerability_id |
VCID-t1s3-f181-tqca |
| summary |
Cross-site Scripting
Apache Struts has a cross-site scripting (XSS) vulnerability. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.apache.struts/struts2-core@2.3.20 |
| purl |
pkg:maven/org.apache.struts/struts2-core@2.3.20 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1cxn-qv1w-2kh7 |
|
| 1 |
| vulnerability |
VCID-4bm7-hbe1-mfca |
|
| 2 |
| vulnerability |
VCID-4bzw-ges2-d7ek |
|
| 3 |
| vulnerability |
VCID-4t8h-s9mh-p7c4 |
|
| 4 |
| vulnerability |
VCID-6dfe-8yy4-kkfj |
|
| 5 |
| vulnerability |
VCID-7hxh-btrk-skhg |
|
| 6 |
| vulnerability |
VCID-7uv9-4vy7-ryd1 |
|
| 7 |
| vulnerability |
VCID-8cmt-z8g9-duf2 |
|
| 8 |
| vulnerability |
VCID-9mn7-d2mm-uqay |
|
| 9 |
| vulnerability |
VCID-cv6j-98vx-n3ed |
|
| 10 |
| vulnerability |
VCID-dbzr-zyeu-73g8 |
|
| 11 |
| vulnerability |
VCID-dj42-wym9-nbhv |
|
| 12 |
| vulnerability |
VCID-dvxu-9sh6-qbef |
|
| 13 |
| vulnerability |
VCID-fwkj-x53j-yqd8 |
|
| 14 |
| vulnerability |
VCID-gvwn-8r4r-47gm |
|
| 15 |
| vulnerability |
VCID-hrky-nmnv-g3eu |
|
| 16 |
| vulnerability |
VCID-jzbz-jpe1-cycg |
|
| 17 |
| vulnerability |
VCID-mmth-7rgf-aqfa |
|
| 18 |
| vulnerability |
VCID-mvdz-exud-3ybz |
|
| 19 |
| vulnerability |
VCID-nm42-xrpq-7ued |
|
| 20 |
| vulnerability |
VCID-npge-yn8z-6fac |
|
| 21 |
| vulnerability |
VCID-nztp-y8p8-cqc6 |
|
| 22 |
| vulnerability |
VCID-pdny-erzd-jqhc |
|
| 23 |
| vulnerability |
VCID-q2ad-khtm-nqdr |
|
| 24 |
| vulnerability |
VCID-qdsq-8td3-5qa1 |
|
| 25 |
| vulnerability |
VCID-renj-v5ce-2khx |
|
| 26 |
| vulnerability |
VCID-vztu-pap6-37ev |
|
| 27 |
| vulnerability |
VCID-wzez-6cmp-n7gn |
|
| 28 |
| vulnerability |
VCID-xgnf-d44x-kfc9 |
|
| 29 |
| vulnerability |
VCID-z1jy-4da2-tyhk |
|
| 30 |
| vulnerability |
VCID-z9v1-pwvn-2bcy |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.20 |
|
|
| aliases |
CVE-2015-2992, GHSA-265r-pp83-gww7
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-t1s3-f181-tqca |
|
| 35 |
| url |
VCID-vztu-pap6-37ev |
| vulnerability_id |
VCID-vztu-pap6-37ev |
| summary |
Apache Struts vulnerable to remote arbitrary command execution due to improper input validation
Apache Struts versions prior to 2.3.32 and 2.5.10.1 contain incorrect exception handling and error-message generation during file-upload attempts using the Jakarta Multipart parser, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
https://cwiki.apache.org/confluence/display/WW/S2-045 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
10.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H |
|
| 1 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Act |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-06T21:06:33Z/ |
|
|
| url |
https://cwiki.apache.org/confluence/display/WW/S2-045 |
|
| 6 |
| reference_url |
https://cwiki.apache.org/confluence/display/WW/S2-046 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
10.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H |
|
| 1 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Act |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-06T21:06:33Z/ |
|
|
| url |
https://cwiki.apache.org/confluence/display/WW/S2-046 |
|
| 7 |
| reference_url |
https://exploit-db.com/exploits/41570 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
10.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H |
|
| 1 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Act |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-06T21:06:33Z/ |
|
|
| url |
https://exploit-db.com/exploits/41570 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
| reference_url |
https://github.com/mazen160/struts-pwn |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
10.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H |
|
| 1 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Act |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-06T21:06:33Z/ |
|
|
| url |
https://github.com/mazen160/struts-pwn |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
| reference_url |
https://isc.sans.edu/diary/22169 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
10.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H |
|
| 1 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Act |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-06T21:06:33Z/ |
|
|
| url |
https://isc.sans.edu/diary/22169 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
| reference_url |
https://struts.apache.org/docs/s2-045.html |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
10.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H |
|
| 1 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Act |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-06T21:06:33Z/ |
|
|
| url |
https://struts.apache.org/docs/s2-045.html |
|
| 32 |
| reference_url |
https://struts.apache.org/docs/s2-046.html |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
10.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H |
|
| 1 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Act |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-06T21:06:33Z/ |
|
|
| url |
https://struts.apache.org/docs/s2-046.html |
|
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
| reference_url |
https://www.kb.cert.org/vuls/id/834067 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
10.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H |
|
| 1 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Act |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-06T21:06:33Z/ |
|
|
| url |
https://www.kb.cert.org/vuls/id/834067 |
|
| 40 |
|
| 41 |
|
| 42 |
|
| 43 |
|
| 44 |
| reference_url |
http://www.securityfocus.com/bid/96729 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
10.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H |
|
| 1 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Act |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-06T21:06:33Z/ |
|
|
| url |
http://www.securityfocus.com/bid/96729 |
|
| 45 |
| reference_url |
http://www.securitytracker.com/id/1037973 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
10.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H |
|
| 1 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Act |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-06T21:06:33Z/ |
|
|
| url |
http://www.securitytracker.com/id/1037973 |
|
| 46 |
|
| 47 |
|
| 48 |
|
| 49 |
|
| 50 |
|
| 51 |
|
| 52 |
|
| 53 |
|
| 54 |
|
| 55 |
|
| 56 |
|
| 57 |
|
| 58 |
|
|
| fixed_packages |
|
| aliases |
CVE-2017-5638, GHSA-j77q-2qqg-6989
|
| risk_score |
10.0 |
| exploitability |
2.0 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vztu-pap6-37ev |
|
| 36 |
| url |
VCID-wtca-5ffw-w7bc |
| vulnerability_id |
VCID-wtca-5ffw-w7bc |
| summary |
Predictable CSRF token
This package uses predictable `<s:token/>` values, which allows remote attackers to bypass the CSRF protection mechanism. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.apache.struts/struts2-core@2.3.20 |
| purl |
pkg:maven/org.apache.struts/struts2-core@2.3.20 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1cxn-qv1w-2kh7 |
|
| 1 |
| vulnerability |
VCID-4bm7-hbe1-mfca |
|
| 2 |
| vulnerability |
VCID-4bzw-ges2-d7ek |
|
| 3 |
| vulnerability |
VCID-4t8h-s9mh-p7c4 |
|
| 4 |
| vulnerability |
VCID-6dfe-8yy4-kkfj |
|
| 5 |
| vulnerability |
VCID-7hxh-btrk-skhg |
|
| 6 |
| vulnerability |
VCID-7uv9-4vy7-ryd1 |
|
| 7 |
| vulnerability |
VCID-8cmt-z8g9-duf2 |
|
| 8 |
| vulnerability |
VCID-9mn7-d2mm-uqay |
|
| 9 |
| vulnerability |
VCID-cv6j-98vx-n3ed |
|
| 10 |
| vulnerability |
VCID-dbzr-zyeu-73g8 |
|
| 11 |
| vulnerability |
VCID-dj42-wym9-nbhv |
|
| 12 |
| vulnerability |
VCID-dvxu-9sh6-qbef |
|
| 13 |
| vulnerability |
VCID-fwkj-x53j-yqd8 |
|
| 14 |
| vulnerability |
VCID-gvwn-8r4r-47gm |
|
| 15 |
| vulnerability |
VCID-hrky-nmnv-g3eu |
|
| 16 |
| vulnerability |
VCID-jzbz-jpe1-cycg |
|
| 17 |
| vulnerability |
VCID-mmth-7rgf-aqfa |
|
| 18 |
| vulnerability |
VCID-mvdz-exud-3ybz |
|
| 19 |
| vulnerability |
VCID-nm42-xrpq-7ued |
|
| 20 |
| vulnerability |
VCID-npge-yn8z-6fac |
|
| 21 |
| vulnerability |
VCID-nztp-y8p8-cqc6 |
|
| 22 |
| vulnerability |
VCID-pdny-erzd-jqhc |
|
| 23 |
| vulnerability |
VCID-q2ad-khtm-nqdr |
|
| 24 |
| vulnerability |
VCID-qdsq-8td3-5qa1 |
|
| 25 |
| vulnerability |
VCID-renj-v5ce-2khx |
|
| 26 |
| vulnerability |
VCID-vztu-pap6-37ev |
|
| 27 |
| vulnerability |
VCID-wzez-6cmp-n7gn |
|
| 28 |
| vulnerability |
VCID-xgnf-d44x-kfc9 |
|
| 29 |
| vulnerability |
VCID-z1jy-4da2-tyhk |
|
| 30 |
| vulnerability |
VCID-z9v1-pwvn-2bcy |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.20 |
|
|
| aliases |
CVE-2014-7809, GHSA-h4v9-jf2r-9h6m
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wtca-5ffw-w7bc |
|
| 37 |
| url |
VCID-wzez-6cmp-n7gn |
| vulnerability_id |
VCID-wzez-6cmp-n7gn |
| summary |
Apache Struts vulnerable to memory exhaustion
Denial of service via out of memory (OOM) owing to not properly checking of list bounds. When a Multipart request has non-file normal form fields, Struts used to bring them into memory as Strings without checking their sizes. This could lead to OOM if developer has set struts.multipart.maxSize to a value equal or greater than the available memory.
Upgrade to Struts 2.5.31 or 6.1.2.1 or greater. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2023-34149, GHSA-8f6x-v685-g2xc
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wzez-6cmp-n7gn |
|
| 38 |
| url |
VCID-xgnf-d44x-kfc9 |
| vulnerability_id |
VCID-xgnf-d44x-kfc9 |
| summary |
Improper Input Validation
Apache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.apache.struts/struts2-core@2.3.20.3 |
| purl |
pkg:maven/org.apache.struts/struts2-core@2.3.20.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-4bm7-hbe1-mfca |
|
| 1 |
| vulnerability |
VCID-4bzw-ges2-d7ek |
|
| 2 |
| vulnerability |
VCID-7hxh-btrk-skhg |
|
| 3 |
| vulnerability |
VCID-7uv9-4vy7-ryd1 |
|
| 4 |
| vulnerability |
VCID-8cmt-z8g9-duf2 |
|
| 5 |
| vulnerability |
VCID-9mn7-d2mm-uqay |
|
| 6 |
| vulnerability |
VCID-cv6j-98vx-n3ed |
|
| 7 |
| vulnerability |
VCID-dbzr-zyeu-73g8 |
|
| 8 |
| vulnerability |
VCID-dj42-wym9-nbhv |
|
| 9 |
| vulnerability |
VCID-fwkj-x53j-yqd8 |
|
| 10 |
| vulnerability |
VCID-gvwn-8r4r-47gm |
|
| 11 |
| vulnerability |
VCID-jzbz-jpe1-cycg |
|
| 12 |
| vulnerability |
VCID-mmth-7rgf-aqfa |
|
| 13 |
| vulnerability |
VCID-mvdz-exud-3ybz |
|
| 14 |
| vulnerability |
VCID-nm42-xrpq-7ued |
|
| 15 |
| vulnerability |
VCID-npge-yn8z-6fac |
|
| 16 |
| vulnerability |
VCID-nztp-y8p8-cqc6 |
|
| 17 |
| vulnerability |
VCID-pdny-erzd-jqhc |
|
| 18 |
| vulnerability |
VCID-q2ad-khtm-nqdr |
|
| 19 |
| vulnerability |
VCID-qdsq-8td3-5qa1 |
|
| 20 |
| vulnerability |
VCID-renj-v5ce-2khx |
|
| 21 |
| vulnerability |
VCID-vztu-pap6-37ev |
|
| 22 |
| vulnerability |
VCID-wzez-6cmp-n7gn |
|
| 23 |
| vulnerability |
VCID-xgnf-d44x-kfc9 |
|
| 24 |
| vulnerability |
VCID-z9v1-pwvn-2bcy |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.20.3 |
|
| 1 |
| url |
pkg:maven/org.apache.struts/struts2-core@2.3.24.3 |
| purl |
pkg:maven/org.apache.struts/struts2-core@2.3.24.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-4bm7-hbe1-mfca |
|
| 1 |
| vulnerability |
VCID-4bzw-ges2-d7ek |
|
| 2 |
| vulnerability |
VCID-7hxh-btrk-skhg |
|
| 3 |
| vulnerability |
VCID-7uv9-4vy7-ryd1 |
|
| 4 |
| vulnerability |
VCID-8cmt-z8g9-duf2 |
|
| 5 |
| vulnerability |
VCID-cv6j-98vx-n3ed |
|
| 6 |
| vulnerability |
VCID-dbzr-zyeu-73g8 |
|
| 7 |
| vulnerability |
VCID-dj42-wym9-nbhv |
|
| 8 |
| vulnerability |
VCID-dvxu-9sh6-qbef |
|
| 9 |
| vulnerability |
VCID-gvwn-8r4r-47gm |
|
| 10 |
| vulnerability |
VCID-hrky-nmnv-g3eu |
|
| 11 |
| vulnerability |
VCID-jzbz-jpe1-cycg |
|
| 12 |
| vulnerability |
VCID-mmth-7rgf-aqfa |
|
| 13 |
| vulnerability |
VCID-mvdz-exud-3ybz |
|
| 14 |
| vulnerability |
VCID-nm42-xrpq-7ued |
|
| 15 |
| vulnerability |
VCID-npge-yn8z-6fac |
|
| 16 |
| vulnerability |
VCID-nztp-y8p8-cqc6 |
|
| 17 |
| vulnerability |
VCID-pdny-erzd-jqhc |
|
| 18 |
| vulnerability |
VCID-qdsq-8td3-5qa1 |
|
| 19 |
| vulnerability |
VCID-renj-v5ce-2khx |
|
| 20 |
| vulnerability |
VCID-vztu-pap6-37ev |
|
| 21 |
| vulnerability |
VCID-wzez-6cmp-n7gn |
|
| 22 |
| vulnerability |
VCID-xgnf-d44x-kfc9 |
|
| 23 |
| vulnerability |
VCID-z9v1-pwvn-2bcy |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.24.3 |
|
| 2 |
| url |
pkg:maven/org.apache.struts/struts2-core@2.3.28 |
| purl |
pkg:maven/org.apache.struts/struts2-core@2.3.28 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1cxn-qv1w-2kh7 |
|
| 1 |
| vulnerability |
VCID-4bm7-hbe1-mfca |
|
| 2 |
| vulnerability |
VCID-4bzw-ges2-d7ek |
|
| 3 |
| vulnerability |
VCID-6dfe-8yy4-kkfj |
|
| 4 |
| vulnerability |
VCID-7hxh-btrk-skhg |
|
| 5 |
| vulnerability |
VCID-7uv9-4vy7-ryd1 |
|
| 6 |
| vulnerability |
VCID-8cmt-z8g9-duf2 |
|
| 7 |
| vulnerability |
VCID-cv6j-98vx-n3ed |
|
| 8 |
| vulnerability |
VCID-dbzr-zyeu-73g8 |
|
| 9 |
| vulnerability |
VCID-dj42-wym9-nbhv |
|
| 10 |
| vulnerability |
VCID-dvxu-9sh6-qbef |
|
| 11 |
| vulnerability |
VCID-gvwn-8r4r-47gm |
|
| 12 |
| vulnerability |
VCID-hrky-nmnv-g3eu |
|
| 13 |
| vulnerability |
VCID-jzbz-jpe1-cycg |
|
| 14 |
| vulnerability |
VCID-mmth-7rgf-aqfa |
|
| 15 |
| vulnerability |
VCID-mvdz-exud-3ybz |
|
| 16 |
| vulnerability |
VCID-nm42-xrpq-7ued |
|
| 17 |
| vulnerability |
VCID-npge-yn8z-6fac |
|
| 18 |
| vulnerability |
VCID-nztp-y8p8-cqc6 |
|
| 19 |
| vulnerability |
VCID-qdsq-8td3-5qa1 |
|
| 20 |
| vulnerability |
VCID-renj-v5ce-2khx |
|
| 21 |
| vulnerability |
VCID-vztu-pap6-37ev |
|
| 22 |
| vulnerability |
VCID-wzez-6cmp-n7gn |
|
| 23 |
| vulnerability |
VCID-z1jy-4da2-tyhk |
|
| 24 |
| vulnerability |
VCID-z9v1-pwvn-2bcy |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.28 |
|
|
| aliases |
CVE-2016-0785, GHSA-876p-4wgc-75rx
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xgnf-d44x-kfc9 |
|
| 39 |
| url |
VCID-xpa5-fsb6-ukay |
| vulnerability_id |
VCID-xpa5-fsb6-ukay |
| summary |
Code injection in Apache Struts
The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with "action:" or "redirect:", followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within forms.
In Struts 2 before 2.3.15.1 the information following "action:", "redirect:" or "redirectAction:" is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code. |
| references |
| 0 |
| reference_url |
http://archiva.apache.org/security.html |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H |
|
| 1 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Act |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-07T13:24:31Z/ |
|
|
| url |
http://archiva.apache.org/security.html |
|
| 1 |
| reference_url |
http://cxsecurity.com/issue/WLB-2014010087 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H |
|
| 1 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Act |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-07T13:24:31Z/ |
|
|
| url |
http://cxsecurity.com/issue/WLB-2014010087 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
http://seclists.org/fulldisclosure/2013/Oct/96 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H |
|
| 2 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Act |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-07T13:24:31Z/ |
|
|
| url |
http://seclists.org/fulldisclosure/2013/Oct/96 |
|
| 5 |
| reference_url |
http://seclists.org/oss-sec/2014/q1/89 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H |
|
| 1 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Act |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-07T13:24:31Z/ |
|
|
| url |
http://seclists.org/oss-sec/2014/q1/89 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
| reference_url |
http://osvdb.org/98445 |
| reference_id |
98445 |
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
Act |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-02-07T13:24:31Z/ |
|
|
| url |
http://osvdb.org/98445 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.apache.struts/struts2-core@2.3.15.1 |
| purl |
pkg:maven/org.apache.struts/struts2-core@2.3.15.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1uv2-rvmy-53hk |
|
| 1 |
| vulnerability |
VCID-4bm7-hbe1-mfca |
|
| 2 |
| vulnerability |
VCID-4bzw-ges2-d7ek |
|
| 3 |
| vulnerability |
VCID-4ywn-n1my-83ev |
|
| 4 |
| vulnerability |
VCID-7hxh-btrk-skhg |
|
| 5 |
| vulnerability |
VCID-7uv9-4vy7-ryd1 |
|
| 6 |
| vulnerability |
VCID-84ge-vq7u-j3ar |
|
| 7 |
| vulnerability |
VCID-8cmt-z8g9-duf2 |
|
| 8 |
| vulnerability |
VCID-8jup-umjw-9ba4 |
|
| 9 |
| vulnerability |
VCID-9mn7-d2mm-uqay |
|
| 10 |
| vulnerability |
VCID-cv6j-98vx-n3ed |
|
| 11 |
| vulnerability |
VCID-dbzr-zyeu-73g8 |
|
| 12 |
| vulnerability |
VCID-dj42-wym9-nbhv |
|
| 13 |
| vulnerability |
VCID-dvxu-9sh6-qbef |
|
| 14 |
| vulnerability |
VCID-fvde-37ch-z7cg |
|
| 15 |
| vulnerability |
VCID-fwkj-x53j-yqd8 |
|
| 16 |
| vulnerability |
VCID-ghqg-ae1b-w7br |
|
| 17 |
| vulnerability |
VCID-gvwn-8r4r-47gm |
|
| 18 |
| vulnerability |
VCID-hrky-nmnv-g3eu |
|
| 19 |
| vulnerability |
VCID-jzbz-jpe1-cycg |
|
| 20 |
| vulnerability |
VCID-kmqa-hsqy-muf1 |
|
| 21 |
| vulnerability |
VCID-m39c-3bv2-6ugy |
|
| 22 |
| vulnerability |
VCID-mmth-7rgf-aqfa |
|
| 23 |
| vulnerability |
VCID-mvdz-exud-3ybz |
|
| 24 |
| vulnerability |
VCID-nm42-xrpq-7ued |
|
| 25 |
| vulnerability |
VCID-npge-yn8z-6fac |
|
| 26 |
| vulnerability |
VCID-nztp-y8p8-cqc6 |
|
| 27 |
| vulnerability |
VCID-pdny-erzd-jqhc |
|
| 28 |
| vulnerability |
VCID-q2ad-khtm-nqdr |
|
| 29 |
| vulnerability |
VCID-renj-v5ce-2khx |
|
| 30 |
| vulnerability |
VCID-t1s3-f181-tqca |
|
| 31 |
| vulnerability |
VCID-vztu-pap6-37ev |
|
| 32 |
| vulnerability |
VCID-wtca-5ffw-w7bc |
|
| 33 |
| vulnerability |
VCID-wzez-6cmp-n7gn |
|
| 34 |
| vulnerability |
VCID-xgnf-d44x-kfc9 |
|
| 35 |
| vulnerability |
VCID-z1jy-4da2-tyhk |
|
| 36 |
| vulnerability |
VCID-z6wr-3psx-dbfm |
|
| 37 |
| vulnerability |
VCID-z9v1-pwvn-2bcy |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.15.1 |
|
|
| aliases |
CVE-2013-2251, GHSA-47qp-8v9g-39hp
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xpa5-fsb6-ukay |
|
| 40 |
| url |
VCID-z1jy-4da2-tyhk |
| vulnerability_id |
VCID-z1jy-4da2-tyhk |
| summary |
Improper Input Validation
`XSLTResult` in Apache Struts allows remote attackers to execute arbitrary code via the stylesheet location parameter. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.apache.struts/struts2-core@2.3.20.3 |
| purl |
pkg:maven/org.apache.struts/struts2-core@2.3.20.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-4bm7-hbe1-mfca |
|
| 1 |
| vulnerability |
VCID-4bzw-ges2-d7ek |
|
| 2 |
| vulnerability |
VCID-7hxh-btrk-skhg |
|
| 3 |
| vulnerability |
VCID-7uv9-4vy7-ryd1 |
|
| 4 |
| vulnerability |
VCID-8cmt-z8g9-duf2 |
|
| 5 |
| vulnerability |
VCID-9mn7-d2mm-uqay |
|
| 6 |
| vulnerability |
VCID-cv6j-98vx-n3ed |
|
| 7 |
| vulnerability |
VCID-dbzr-zyeu-73g8 |
|
| 8 |
| vulnerability |
VCID-dj42-wym9-nbhv |
|
| 9 |
| vulnerability |
VCID-fwkj-x53j-yqd8 |
|
| 10 |
| vulnerability |
VCID-gvwn-8r4r-47gm |
|
| 11 |
| vulnerability |
VCID-jzbz-jpe1-cycg |
|
| 12 |
| vulnerability |
VCID-mmth-7rgf-aqfa |
|
| 13 |
| vulnerability |
VCID-mvdz-exud-3ybz |
|
| 14 |
| vulnerability |
VCID-nm42-xrpq-7ued |
|
| 15 |
| vulnerability |
VCID-npge-yn8z-6fac |
|
| 16 |
| vulnerability |
VCID-nztp-y8p8-cqc6 |
|
| 17 |
| vulnerability |
VCID-pdny-erzd-jqhc |
|
| 18 |
| vulnerability |
VCID-q2ad-khtm-nqdr |
|
| 19 |
| vulnerability |
VCID-qdsq-8td3-5qa1 |
|
| 20 |
| vulnerability |
VCID-renj-v5ce-2khx |
|
| 21 |
| vulnerability |
VCID-vztu-pap6-37ev |
|
| 22 |
| vulnerability |
VCID-wzez-6cmp-n7gn |
|
| 23 |
| vulnerability |
VCID-xgnf-d44x-kfc9 |
|
| 24 |
| vulnerability |
VCID-z9v1-pwvn-2bcy |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.20.3 |
|
| 1 |
| url |
pkg:maven/org.apache.struts/struts2-core@2.3.24.3 |
| purl |
pkg:maven/org.apache.struts/struts2-core@2.3.24.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-4bm7-hbe1-mfca |
|
| 1 |
| vulnerability |
VCID-4bzw-ges2-d7ek |
|
| 2 |
| vulnerability |
VCID-7hxh-btrk-skhg |
|
| 3 |
| vulnerability |
VCID-7uv9-4vy7-ryd1 |
|
| 4 |
| vulnerability |
VCID-8cmt-z8g9-duf2 |
|
| 5 |
| vulnerability |
VCID-cv6j-98vx-n3ed |
|
| 6 |
| vulnerability |
VCID-dbzr-zyeu-73g8 |
|
| 7 |
| vulnerability |
VCID-dj42-wym9-nbhv |
|
| 8 |
| vulnerability |
VCID-dvxu-9sh6-qbef |
|
| 9 |
| vulnerability |
VCID-gvwn-8r4r-47gm |
|
| 10 |
| vulnerability |
VCID-hrky-nmnv-g3eu |
|
| 11 |
| vulnerability |
VCID-jzbz-jpe1-cycg |
|
| 12 |
| vulnerability |
VCID-mmth-7rgf-aqfa |
|
| 13 |
| vulnerability |
VCID-mvdz-exud-3ybz |
|
| 14 |
| vulnerability |
VCID-nm42-xrpq-7ued |
|
| 15 |
| vulnerability |
VCID-npge-yn8z-6fac |
|
| 16 |
| vulnerability |
VCID-nztp-y8p8-cqc6 |
|
| 17 |
| vulnerability |
VCID-pdny-erzd-jqhc |
|
| 18 |
| vulnerability |
VCID-qdsq-8td3-5qa1 |
|
| 19 |
| vulnerability |
VCID-renj-v5ce-2khx |
|
| 20 |
| vulnerability |
VCID-vztu-pap6-37ev |
|
| 21 |
| vulnerability |
VCID-wzez-6cmp-n7gn |
|
| 22 |
| vulnerability |
VCID-xgnf-d44x-kfc9 |
|
| 23 |
| vulnerability |
VCID-z9v1-pwvn-2bcy |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.24.3 |
|
| 2 |
| url |
pkg:maven/org.apache.struts/struts2-core@2.3.28.1 |
| purl |
pkg:maven/org.apache.struts/struts2-core@2.3.28.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-4bm7-hbe1-mfca |
|
| 1 |
| vulnerability |
VCID-4bzw-ges2-d7ek |
|
| 2 |
| vulnerability |
VCID-7hxh-btrk-skhg |
|
| 3 |
| vulnerability |
VCID-7uv9-4vy7-ryd1 |
|
| 4 |
| vulnerability |
VCID-8cmt-z8g9-duf2 |
|
| 5 |
| vulnerability |
VCID-cv6j-98vx-n3ed |
|
| 6 |
| vulnerability |
VCID-dbzr-zyeu-73g8 |
|
| 7 |
| vulnerability |
VCID-dj42-wym9-nbhv |
|
| 8 |
| vulnerability |
VCID-dvxu-9sh6-qbef |
|
| 9 |
| vulnerability |
VCID-gvwn-8r4r-47gm |
|
| 10 |
| vulnerability |
VCID-hrky-nmnv-g3eu |
|
| 11 |
| vulnerability |
VCID-jzbz-jpe1-cycg |
|
| 12 |
| vulnerability |
VCID-mmth-7rgf-aqfa |
|
| 13 |
| vulnerability |
VCID-mvdz-exud-3ybz |
|
| 14 |
| vulnerability |
VCID-nm42-xrpq-7ued |
|
| 15 |
| vulnerability |
VCID-npge-yn8z-6fac |
|
| 16 |
| vulnerability |
VCID-nztp-y8p8-cqc6 |
|
| 17 |
| vulnerability |
VCID-qdsq-8td3-5qa1 |
|
| 18 |
| vulnerability |
VCID-renj-v5ce-2khx |
|
| 19 |
| vulnerability |
VCID-vztu-pap6-37ev |
|
| 20 |
| vulnerability |
VCID-wzez-6cmp-n7gn |
|
| 21 |
| vulnerability |
VCID-z9v1-pwvn-2bcy |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.28.1 |
|
|
| aliases |
CVE-2016-3082, GHSA-pvm9-288c-v5wq
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-z1jy-4da2-tyhk |
|
| 41 |
| url |
VCID-z6wr-3psx-dbfm |
| vulnerability_id |
VCID-z6wr-3psx-dbfm |
| summary |
This package enables Dynamic Method Invocation by default, which has unknown impact and attack vectors. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.apache.struts/struts2-core@2.3.15.2 |
| purl |
pkg:maven/org.apache.struts/struts2-core@2.3.15.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1uv2-rvmy-53hk |
|
| 1 |
| vulnerability |
VCID-4bm7-hbe1-mfca |
|
| 2 |
| vulnerability |
VCID-4bzw-ges2-d7ek |
|
| 3 |
| vulnerability |
VCID-4ywn-n1my-83ev |
|
| 4 |
| vulnerability |
VCID-7hxh-btrk-skhg |
|
| 5 |
| vulnerability |
VCID-7uv9-4vy7-ryd1 |
|
| 6 |
| vulnerability |
VCID-84ge-vq7u-j3ar |
|
| 7 |
| vulnerability |
VCID-8cmt-z8g9-duf2 |
|
| 8 |
| vulnerability |
VCID-8jup-umjw-9ba4 |
|
| 9 |
| vulnerability |
VCID-9mn7-d2mm-uqay |
|
| 10 |
| vulnerability |
VCID-cv6j-98vx-n3ed |
|
| 11 |
| vulnerability |
VCID-dbzr-zyeu-73g8 |
|
| 12 |
| vulnerability |
VCID-dj42-wym9-nbhv |
|
| 13 |
| vulnerability |
VCID-dvxu-9sh6-qbef |
|
| 14 |
| vulnerability |
VCID-fvde-37ch-z7cg |
|
| 15 |
| vulnerability |
VCID-fwkj-x53j-yqd8 |
|
| 16 |
| vulnerability |
VCID-ghqg-ae1b-w7br |
|
| 17 |
| vulnerability |
VCID-gvwn-8r4r-47gm |
|
| 18 |
| vulnerability |
VCID-hrky-nmnv-g3eu |
|
| 19 |
| vulnerability |
VCID-jzbz-jpe1-cycg |
|
| 20 |
| vulnerability |
VCID-kmqa-hsqy-muf1 |
|
| 21 |
| vulnerability |
VCID-m39c-3bv2-6ugy |
|
| 22 |
| vulnerability |
VCID-mmth-7rgf-aqfa |
|
| 23 |
| vulnerability |
VCID-mvdz-exud-3ybz |
|
| 24 |
| vulnerability |
VCID-nm42-xrpq-7ued |
|
| 25 |
| vulnerability |
VCID-npge-yn8z-6fac |
|
| 26 |
| vulnerability |
VCID-nztp-y8p8-cqc6 |
|
| 27 |
| vulnerability |
VCID-pdny-erzd-jqhc |
|
| 28 |
| vulnerability |
VCID-q2ad-khtm-nqdr |
|
| 29 |
| vulnerability |
VCID-renj-v5ce-2khx |
|
| 30 |
| vulnerability |
VCID-t1s3-f181-tqca |
|
| 31 |
| vulnerability |
VCID-vztu-pap6-37ev |
|
| 32 |
| vulnerability |
VCID-wtca-5ffw-w7bc |
|
| 33 |
| vulnerability |
VCID-wzez-6cmp-n7gn |
|
| 34 |
| vulnerability |
VCID-xgnf-d44x-kfc9 |
|
| 35 |
| vulnerability |
VCID-z1jy-4da2-tyhk |
|
| 36 |
| vulnerability |
VCID-z9v1-pwvn-2bcy |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.15.2 |
|
|
| aliases |
CVE-2013-4316, GHSA-j7h6-xr7g-m2c5
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-z6wr-3psx-dbfm |
|
| 42 |
| url |
VCID-z9v1-pwvn-2bcy |
| vulnerability_id |
VCID-z9v1-pwvn-2bcy |
| summary |
Apache Struts file upload logic is flawed
File upload logic is flawed vulnerability in Apache Struts. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.
This issue affects Apache Struts: from 2.0.0 before 6.4.0.
Users are recommended to upgrade to version 6.4.0 at least and migrate to the new file upload mechanism https://struts.apache.org/core-developers/file-upload. If you are not using an old file upload logic based on FileuploadInterceptor your application is safe.
You can find more details in https://cwiki.apache.org/confluence/display/WW/S2-067 . |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://cwiki.apache.org/confluence/display/WW/S2-067 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
9.5 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:N/AU:Y/R:A/V:C/RE:L/U:Red |
|
| 2 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-12-12T15:19:19Z/ |
|
|
| url |
https://cwiki.apache.org/confluence/display/WW/S2-067 |
|
| 3 |
|
| 4 |
| reference_url |
https://github.com/apache/struts |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
9.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
9.5 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:N/AU:Y/R:A/V:C/RE:L/U:Red |
|
| 2 |
| value |
CRITICAL |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/apache/struts |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2024-53677, GHSA-43mq-6xmg-29vm
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-z9v1-pwvn-2bcy |
|