Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:maven/org.apache.struts/struts2-core@2.3.28

Type maven

Namespace org.apache.struts

Name struts2-core

Version 2.3.28

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 2.3.31

Latest_non_vulnerable_version 7.1.1

Affected_by_vulnerabilities

url VCID-6dfe-8yy4-kkfj

vulnerability_id VCID-6dfe-8yy4-kkfj

summary

Improper Neutralization of Special Elements used in a Command ('Command Injection')
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.

references

reference_url	http://packetstormsecurity.com/files/136856/Apache-Struts-2.3.28-Dynamic-Method-Invocation-Remote-Code-Execution.html
reference_id
reference_type
scores
url	http://packetstormsecurity.com/files/136856/Apache-Struts-2.3.28-Dynamic-Method-Invocation-Remote-Code-Execution.html

reference_url	https://struts.apache.org/docs/s2-032.html
reference_id
reference_type
scores
url	https://struts.apache.org/docs/s2-032.html

reference_url	https://web.archive.org/web/20210123152457/http://www.securityfocus.com/bid/91787
reference_id
reference_type
scores
url	https://web.archive.org/web/20210123152457/http://www.securityfocus.com/bid/91787

reference_url	https://web.archive.org/web/20210225192113/http://www.securityfocus.com/bid/87327
reference_id
reference_type
scores
url	https://web.archive.org/web/20210225192113/http://www.securityfocus.com/bid/87327

reference_url	https://web.archive.org/web/20210226011418/http://www.securitytracker.com/id/1035665
reference_id
reference_type
scores
url	https://web.archive.org/web/20210226011418/http://www.securitytracker.com/id/1035665

reference_url	https://www.exploit-db.com/exploits/39756/
reference_id
reference_type
scores
url	https://www.exploit-db.com/exploits/39756/

reference_url	http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20160527-01-struts2-en
reference_id
reference_type
scores
url	http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20160527-01-struts2-en

reference_url	http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
reference_id
reference_type
scores
url	http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html

reference_url	http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
reference_id
reference_type
scores
url	http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html

reference_url	http://www.rapid7.com/db/modules/exploit/linux/http/struts_dmi_exec
reference_id
reference_type
scores
url	http://www.rapid7.com/db/modules/exploit/linux/http/struts_dmi_exec

reference_url	http://www.rapid7.com/db/modules/exploit/multi/http/struts_dmi_exec
reference_id
reference_type
scores
url	http://www.rapid7.com/db/modules/exploit/multi/http/struts_dmi_exec

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2016-3081
reference_id	CVE-2016-3081
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2016-3081

reference_url	https://github.com/advisories/GHSA-8c6j-ffmf-q6vm
reference_id	GHSA-8c6j-ffmf-q6vm
reference_type
scores
url	https://github.com/advisories/GHSA-8c6j-ffmf-q6vm

fixed_packages

aliases CVE-2016-3081, GHSA-8c6j-ffmf-q6vm

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6dfe-8yy4-kkfj

url VCID-qdsq-8td3-5qa1

vulnerability_id VCID-qdsq-8td3-5qa1

summary

Improper Input Validation
The `URLValidator` class in Apache Struts 2 allows remote attackers to cause a denial of service via a `null` value for a URL field.

references

reference_url	http://jvndb.jvn.jp/jvndb/JVNDB-2016-000114
reference_id
reference_type
scores
url	http://jvndb.jvn.jp/jvndb/JVNDB-2016-000114

reference_url	http://jvn.jp/en/jp/JVN12352818/index.html
reference_id
reference_type
scores
url	http://jvn.jp/en/jp/JVN12352818/index.html

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1348253
reference_id
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1348253

reference_url	https://struts.apache.org/docs/s2-041.html
reference_id
reference_type
scores
url	https://struts.apache.org/docs/s2-041.html

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2016-4465
reference_id	CVE-2016-4465
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2016-4465

fixed_packages

url pkg:maven/org.apache.struts/struts2-core@2.3.29

purl pkg:maven/org.apache.struts/struts2-core@2.3.29

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dvxu-9sh6-qbef

vulnerability	VCID-hrky-nmnv-g3eu

vulnerability	VCID-mmth-7rgf-aqfa

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.29

url	pkg:maven/org.apache.struts/struts2-core@2.5.1
purl	pkg:maven/org.apache.struts/struts2-core@2.5.1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.5.1

aliases CVE-2016-4465

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qdsq-8td3-5qa1

url VCID-z1jy-4da2-tyhk

vulnerability_id VCID-z1jy-4da2-tyhk

summary

Improper Input Validation
`XSLTResult` in Apache Struts allows remote attackers to execute arbitrary code via the stylesheet location parameter.

references

reference_url	http://struts.apache.org/docs/s2-031.html
reference_id
reference_type
scores
url	http://struts.apache.org/docs/s2-031.html

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2016-3082
reference_id	CVE-2016-3082
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2016-3082

fixed_packages

url pkg:maven/org.apache.struts/struts2-core@2.3.28.1

purl pkg:maven/org.apache.struts/struts2-core@2.3.28.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dvxu-9sh6-qbef

vulnerability	VCID-hrky-nmnv-g3eu

vulnerability	VCID-mmth-7rgf-aqfa

vulnerability	VCID-qdsq-8td3-5qa1

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.28.1

aliases CVE-2016-3082

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-z1jy-4da2-tyhk

Fixing_vulnerabilities

url VCID-xgnf-d44x-kfc9

vulnerability_id VCID-xgnf-d44x-kfc9

summary

Improper Input Validation
Apache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation.

references

reference_url	http://struts.apache.org/docs/s2-029.html
reference_id
reference_type
scores
url	http://struts.apache.org/docs/s2-029.html

reference_url	https://web.archive.org/web/20210123095715/http://www.securityfocus.com/bid/85066
reference_id
reference_type
scores
url	https://web.archive.org/web/20210123095715/http://www.securityfocus.com/bid/85066

reference_url	https://web.archive.org/web/20220118185853/http://www.securitytracker.com/id/1035271
reference_id
reference_type
scores
url	https://web.archive.org/web/20220118185853/http://www.securitytracker.com/id/1035271

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2016-0785
reference_id	CVE-2016-0785
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2016-0785

reference_url	https://github.com/advisories/GHSA-876p-4wgc-75rx
reference_id	GHSA-876p-4wgc-75rx
reference_type
scores
url	https://github.com/advisories/GHSA-876p-4wgc-75rx

fixed_packages

url pkg:maven/org.apache.struts/struts2-core@2.3.28

purl pkg:maven/org.apache.struts/struts2-core@2.3.28

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6dfe-8yy4-kkfj

vulnerability	VCID-qdsq-8td3-5qa1

vulnerability	VCID-z1jy-4da2-tyhk

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.28

aliases CVE-2016-0785, GHSA-876p-4wgc-75rx

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xgnf-d44x-kfc9

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.28

Package Instance