Search for packages
| purl | pkg:maven/org.apache.struts/struts2-core@2.3.4.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2chz-36wn-9fcv
Aliases: CVE-2015-5209 GHSA-4qgj-9mvg-3929 |
Manipulation of Struts internals This package allows remote attackers to manipulate Struts internals, alter user sessions, or affect container settings via vectors involving a top object. |
Affected by 27 other vulnerabilities. |
|
VCID-2rjv-1thm-dugt
Aliases: CVE-2016-3082 GHSA-pvm9-288c-v5wq |
XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter. |
Affected by 25 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-2v7h-fght-cugn
Aliases: CVE-2014-7809 GHSA-h4v9-jf2r-9h6m |
Apache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable <s:token/> values, which allows remote attackers to bypass the CSRF protection mechanism. |
Affected by 31 other vulnerabilities. |
|
VCID-3yq7-n972-j7dh
Aliases: CVE-2019-0230 GHSA-wp4h-pvgw-5727 |
Improperly Controlled Modification of Dynamically-Determined Object Attributes Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. |
Affected by 8 other vulnerabilities. |
|
VCID-4agy-6nsx-7ufh
Aliases: CVE-2016-3093 GHSA-383p-xqxx-rrmp |
Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors. |
Affected by 24 other vulnerabilities. |
|
VCID-579w-2k2v-efa2
Aliases: CVE-2017-12611 GHSA-8fx9-5hx8-crhm |
In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack. |
Affected by 25 other vulnerabilities. Affected by 13 other vulnerabilities. Affected by 17 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-6241-shkt-s7ew
Aliases: CVE-2013-2134 GHSA-gqqm-564f-vvxq |
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135. |
Affected by 40 other vulnerabilities. |
|
VCID-6hrc-fm64-ckhf
Aliases: CVE-2016-2162 GHSA-2j4q-9fff-236j |
Apache Struts 2.x before 2.3.25 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors involving language display. |
Affected by 25 other vulnerabilities. |
|
VCID-6t1x-s2k2-b7bq
Aliases: CVE-2013-4310 GHSA-q5q8-jghf-3pm3 |
Apache Struts 2.0.0 through 2.3.15.1 allows remote attackers to bypass access controls via a crafted action: prefix. |
Affected by 36 other vulnerabilities. |
|
VCID-74ab-1p1c-4qbd
Aliases: CVE-2016-6795 GHSA-44hv-jjx7-qfjg |
In the Convention plugin in Apache Struts 2.3.x before 2.3.31, and 2.5.x before 2.5.5, it is possible to prepare a special URL which will be used for path traversal and execution of arbitrary code on server side. |
Affected by 17 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-759g-hsfg-97f8
Aliases: CVE-2013-2248 GHSA-rpj9-r897-wc6q |
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a parameter using the (1) redirect: or (2) redirectAction: prefix. |
Affected by 38 other vulnerabilities. |
|
VCID-79j9-v8gz-rfax
Aliases: CVE-2020-17530 GHSA-jc35-q369-45pv |
Remote code execution in Apache Struts Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. |
Affected by 7 other vulnerabilities. |
|
VCID-7c97-nj5a-hqb8
Aliases: CVE-2017-5638 GHSA-j77q-2qqg-6989 |
Affected by 16 other vulnerabilities. Affected by 17 other vulnerabilities. |
|
|
VCID-87fh-rvvb-6ubq
Aliases: CVE-2024-53677 GHSA-43mq-6xmg-29vm |
Apache Struts file upload logic is flawed File upload logic is flawed vulnerability in Apache Struts. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. This issue affects Apache Struts: from 2.0.0 before 6.4.0. Users are recommended to upgrade to version 6.4.0 at least and migrate to the new file upload mechanism https://struts.apache.org/core-developers/file-upload. If you are not using an old file upload logic based on FileuploadInterceptor your application is safe. You can find more details in https://cwiki.apache.org/confluence/display/WW/S2-067 . |
Affected by 1 other vulnerability. |
|
VCID-8bsh-bshc-vkgq
Aliases: CVE-2016-4461 GHSA-864w-r5qj-h6fj |
Apache Struts forced double OGNL evaluation Apache Struts 2.x before 2.3.29 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0785. |
Affected by 18 other vulnerabilities. |
|
VCID-8mws-fbmg-cqa9
Aliases: CVE-2015-2992 GHSA-265r-pp83-gww7 |
Cross-site Scripting in Apache Struts When the Struts2 debug mode is turned on, under certain conditions an arbitrary script may be executed in the 'Problem Report' screen. Also if JSP files are exposed to be accessed directly it's possible to execute an arbitrary script. It is generally not advisable to have debug mode switched on outside of the development environment. Debug mode should always be turned off in production setup. Also never expose JSPs files directly and hide them inside WEB-INF folder or define dedicated security constraints to block access to raw JSP files. Struts >= 2.3.20 is not vulnerable to this attack. We recommend upgrading to Struts 2.3.20 or higher if turning off debug mode is not possible. |
Affected by 31 other vulnerabilities. |
|
VCID-95ts-vpk6-uubg
Aliases: CVE-2025-66675 GHSA-rg58-xhh7-mqjw |
Apache Struts has a Denial of Service vulnerability Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion. This issue affects Apache Struts: from 2.0.0 through 6.7.4, from 7.0.0 through 7.0.3. Users are recommended to upgrade to version 6.8.0 or 7.1.1, which fixes the issue. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-at5c-f8p8-67fh
Aliases: CVE-2016-4003 GHSA-m3x6-9v6h-4g28 |
Cross-site scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via multi-byte characters in a url-encoded parameter. |
Affected by 24 other vulnerabilities. Affected by 25 other vulnerabilities. |
|
VCID-b59n-uxft-4qgz
Aliases: CVE-2013-4316 GHSA-j7h6-xr7g-m2c5 |
Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors. |
Affected by 37 other vulnerabilities. |
|
VCID-b7zy-qhz9-tuar
Aliases: CVE-2023-34149 GHSA-8f6x-v685-g2xc |
Apache Struts vulnerable to memory exhaustion Denial of service via out of memory (OOM) owing to not properly checking of list bounds. When a Multipart request has non-file normal form fields, Struts used to bring them into memory as Strings without checking their sizes. This could lead to OOM if developer has set struts.multipart.maxSize to a value equal or greater than the available memory. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater. |
Affected by 4 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-bgbt-j1n9-6yg5
Aliases: CVE-2018-1327 GHSA-38cr-2ph5-frr9 |
The Apache Struts REST Plugin is using XStream library which is vulnerable and allow perform a DoS attack when using a malicious request with specially crafted XML payload. Upgrade to the Apache Struts version 2.5.16 and switch to an optional Jackson XML handler as described here http://struts.apache.org/plugins/rest/#custom-contenttypehandlers. Another option is to implement a custom XML handler based on the Jackson XML handler from the Apache Struts 2.5.16. |
Affected by 12 other vulnerabilities. |
|
VCID-cm62-bsdz-yye2
Aliases: CVE-2018-11776 GHSA-cr6j-3jp9-rw65 |
Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace. |
Affected by 12 other vulnerabilities. Affected by 11 other vulnerabilities. |
|
VCID-dk2f-14xj-9bf8
Aliases: CVE-2023-34396 GHSA-4g42-gqrg-4633 |
Apache Struts vulnerable to memory exhaustion Denial of service via out of memory (OOM) owing to no sanity limit on normal form fields in multipart forms. When a Multipart request has non-file normal form fields, Struts used to bring them into memory as Strings without checking their sizes. This could lead to an OOM if developer has set struts.multipart.maxSize to a value equal or greater than the available memory. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater |
Affected by 4 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-gfxq-vtry-bqgg
Aliases: CVE-2023-50164 GHSA-2j39-qcjm-428w |
Files or Directories Accessible to External Parties An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue. |
Affected by 4 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-h4yg-zrv6-aqa1
Aliases: CVE-2014-0112 GHSA-prjv-jj26-wf8h |
ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094. |
Affected by 32 other vulnerabilities. Affected by 31 other vulnerabilities. |
|
VCID-hgj2-vqzn-gyeb
Aliases: CVE-2021-31805 GHSA-v8j6-6c2r-r27c |
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation. |
Affected by 6 other vulnerabilities. |
|
VCID-hkjh-35ye-1ugj
Aliases: CVE-2013-2115 GHSA-7ghm-rpc7-p7g5 |
Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. NOTE: this issue is due to an incomplete fix for CVE-2013-1966. |
Affected by 43 other vulnerabilities. |
|
VCID-j5su-cnqd-6yad
Aliases: CVE-2016-0785 GHSA-876p-4wgc-75rx |
Apache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. |
Affected by 25 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 25 other vulnerabilities. |
|
VCID-kdsa-599r-eud7
Aliases: CVE-2014-0094 GHSA-vrwc-qjmw-5rjm |
The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method. |
Affected by 32 other vulnerabilities. |
|
VCID-me84-wy85-hkf5
Aliases: CVE-2015-5169 GHSA-vwhv-j36g-5rm8 |
Cross-Site Scripting vulnerability on "Problem Report" screen When Debug mode is turned on, under certain conditions an arbitrary script may be executed in the `Problem Report` screen. Also if JSP files are exposed to be accessed directly it's possible to execute an arbitrary script. |
Affected by 31 other vulnerabilities. |
|
VCID-n2dn-bnjc-13gp
Aliases: CVE-2014-0113 GHSA-3c5c-xrq4-qhr8 |
CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094. |
Affected by 32 other vulnerabilities. Affected by 31 other vulnerabilities. |
|
VCID-n4fb-crnk-eugz
Aliases: CVE-2013-1965 GHSA-whmq-v94q-34p9 |
Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect. |
Affected by 40 other vulnerabilities. |
|
VCID-qqm4-frqy-bua5
Aliases: CVE-2013-6348 GHSA-3g8j-jj54-3vjg |
XSS via malicious action parameter Multiple cross-site scripting (XSS) vulnerabilities in this package allow remote attackers to inject arbitrary web script or HTML via the namespace parameter to `actionNames.action` and `showConfig.action` in `config-browser/`. |
Affected by 35 other vulnerabilities. |
|
VCID-tcaj-6bcg-k7g2
Aliases: CVE-2016-3090 GHSA-ggmp-fxfg-277r |
Improper Input Validation The TextParseUtil.translateVariables method in Apache Struts 2.x before 2.3.20 allows remote attackers to execute arbitrary code via a crafted OGNL expression with ANTLR tooling. |
Affected by 31 other vulnerabilities. |
|
VCID-tgd1-s1yg-9fdt
Aliases: CVE-2025-68493 GHSA-qcfc-hmrc-59x7 |
Apache Struts 2 is Missing XML Validation Missing XML Validation vulnerability in Apache Struts, Apache Struts. This issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0. Users are recommended to upgrade to version 6.1.1, which fixes the issue. |
Affected by 12 other vulnerabilities. Affected by 5 other vulnerabilities. |
|
VCID-vgp6-jxqt-pbf4
Aliases: CVE-2016-4438 GHSA-4prj-vw9j-v6pr |
The REST plugin in Apache Struts 2 2.3.19 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression. |
Affected by 18 other vulnerabilities. |
|
VCID-vkb9-11h4-dugp
Aliases: CVE-2013-1966 GHSA-737w-mh58-cxjp |
Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. |
Affected by 43 other vulnerabilities. |
|
VCID-vnkw-9fa2-zqcm
Aliases: CVE-2013-2135 GHSA-pw8r-x2qm-3h5m |
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to be evaluated twice. |
Affected by 40 other vulnerabilities. |
|
VCID-xz41-1z86-37ew
Aliases: CVE-2013-2251 GHSA-47qp-8v9g-39hp |
Affected by 38 other vulnerabilities. |
|
|
VCID-y5uq-a6dx-3yd4
Aliases: CVE-2012-1592 GHSA-8m5q-crqq-6pmf |
Unrestricted Upload of File with Dangerous Type A local code execution issue exists in Apache Struts2 when processing malformed XSLT files, which could let a malicious user upload and execute arbitrary files. |
Affected by 8 other vulnerabilities. |
|
VCID-ygbu-vb2t-jqhx
Aliases: CVE-2016-4436 GHSA-xm92-v2mq-842q |
Apache Struts 2 before 2.3.29 and 2.5.x before 2.5.1 allow attackers to have unspecified impact via vectors related to improper action name clean up. |
Affected by 18 other vulnerabilities. Affected by 20 other vulnerabilities. |
|
VCID-zb3c-gnyc-yug8
Aliases: CVE-2014-0116 GHSA-hmhq-382q-mp56 |
CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and modify session state via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0113. |
Affected by 31 other vulnerabilities. Affected by 31 other vulnerabilities. |
|
VCID-zxww-8kb3-tufv
Aliases: CVE-2019-0233 GHSA-ccp5-gg58-pxfm |
Improper Preservation of Permissions in Apache Struts An access permission override in Apache Struts 2.0.0 to 2.5.20 may cause a Denial of Service when performing a file upload. |
Affected by 8 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-k6mz-k1yb-4uej | CSRF protection bypass The token check mechanism in this package does not properly validate the token name configuration parameter, which allows remote attackers to perform cross-site request forgery (CSRF) attacks by setting the token name configuration parameter to a session attribute. |
CVE-2012-4386
GHSA-2rvh-q539-q33v |
| VCID-q96z-v3bs-k3dg | Apache Struts 2.0.0 through 2.3.4 allows remote attackers to cause a denial of service (CPU consumption) via a long parameter name, which is processed as an OGNL expression. |
CVE-2012-4387
GHSA-hrgc-54mv-58gv |