Search for packages
| purl | pkg:maven/org.apache.struts/struts2-core@2.5.10.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-3yq7-n972-j7dh
Aliases: CVE-2019-0230 GHSA-wp4h-pvgw-5727 |
Improperly Controlled Modification of Dynamically-Determined Object Attributes Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. |
Affected by 8 other vulnerabilities. |
|
VCID-579w-2k2v-efa2
Aliases: CVE-2017-12611 GHSA-8fx9-5hx8-crhm |
In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack. |
Affected by 0 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-79j9-v8gz-rfax
Aliases: CVE-2020-17530 GHSA-jc35-q369-45pv |
Remote code execution in Apache Struts Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. |
Affected by 7 other vulnerabilities. |
|
VCID-87fh-rvvb-6ubq
Aliases: CVE-2024-53677 GHSA-43mq-6xmg-29vm |
Apache Struts file upload logic is flawed File upload logic is flawed vulnerability in Apache Struts. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. This issue affects Apache Struts: from 2.0.0 before 6.4.0. Users are recommended to upgrade to version 6.4.0 at least and migrate to the new file upload mechanism https://struts.apache.org/core-developers/file-upload. If you are not using an old file upload logic based on FileuploadInterceptor your application is safe. You can find more details in https://cwiki.apache.org/confluence/display/WW/S2-067 . |
Affected by 1 other vulnerability. |
|
VCID-95ts-vpk6-uubg
Aliases: CVE-2025-66675 GHSA-rg58-xhh7-mqjw |
Apache Struts has a Denial of Service vulnerability Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion. This issue affects Apache Struts: from 2.0.0 through 6.7.4, from 7.0.0 through 7.0.3. Users are recommended to upgrade to version 6.8.0 or 7.1.1, which fixes the issue. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-b7zy-qhz9-tuar
Aliases: CVE-2023-34149 GHSA-8f6x-v685-g2xc |
Apache Struts vulnerable to memory exhaustion Denial of service via out of memory (OOM) owing to not properly checking of list bounds. When a Multipart request has non-file normal form fields, Struts used to bring them into memory as Strings without checking their sizes. This could lead to OOM if developer has set struts.multipart.maxSize to a value equal or greater than the available memory. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater. |
Affected by 4 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-bgbt-j1n9-6yg5
Aliases: CVE-2018-1327 GHSA-38cr-2ph5-frr9 |
The Apache Struts REST Plugin is using XStream library which is vulnerable and allow perform a DoS attack when using a malicious request with specially crafted XML payload. Upgrade to the Apache Struts version 2.5.16 and switch to an optional Jackson XML handler as described here http://struts.apache.org/plugins/rest/#custom-contenttypehandlers. Another option is to implement a custom XML handler based on the Jackson XML handler from the Apache Struts 2.5.16. |
Affected by 12 other vulnerabilities. |
|
VCID-cm62-bsdz-yye2
Aliases: CVE-2018-11776 GHSA-cr6j-3jp9-rw65 |
Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace. |
Affected by 11 other vulnerabilities. |
|
VCID-dk2f-14xj-9bf8
Aliases: CVE-2023-34396 GHSA-4g42-gqrg-4633 |
Apache Struts vulnerable to memory exhaustion Denial of service via out of memory (OOM) owing to no sanity limit on normal form fields in multipart forms. When a Multipart request has non-file normal form fields, Struts used to bring them into memory as Strings without checking their sizes. This could lead to an OOM if developer has set struts.multipart.maxSize to a value equal or greater than the available memory. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater |
Affected by 4 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-gfxq-vtry-bqgg
Aliases: CVE-2023-50164 GHSA-2j39-qcjm-428w |
Files or Directories Accessible to External Parties An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue. |
Affected by 4 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-hgj2-vqzn-gyeb
Aliases: CVE-2021-31805 GHSA-v8j6-6c2r-r27c |
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation. |
Affected by 6 other vulnerabilities. |
|
VCID-mdde-pa5h-w7g4
Aliases: CVE-2017-9804 GHSA-x5x7-3v85-wpc4 |
In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. NOTE: this vulnerability exists because of an incomplete fix for S2-047 / CVE-2017-7672. |
Affected by 13 other vulnerabilities. |
|
VCID-tgd1-s1yg-9fdt
Aliases: CVE-2025-68493 GHSA-qcfc-hmrc-59x7 |
Apache Struts 2 is Missing XML Validation Missing XML Validation vulnerability in Apache Struts, Apache Struts. This issue affects Apache Struts: from 2.0.0 before 2.2.1; Apache Struts: from 2.2.1 through 6.1.0. Users are recommended to upgrade to version 6.1.1, which fixes the issue. |
Affected by 5 other vulnerabilities. |
|
VCID-y4qu-21c9-6fav
Aliases: CVE-2017-9787 GHSA-8mr5-h28g-36qx |
When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack. Solution is to upgrade to Apache Struts version 2.5.12 or 2.3.33. |
Affected by 14 other vulnerabilities. |
|
VCID-y5uq-a6dx-3yd4
Aliases: CVE-2012-1592 GHSA-8m5q-crqq-6pmf |
Unrestricted Upload of File with Dangerous Type A local code execution issue exists in Apache Struts2 when processing malformed XSLT files, which could let a malicious user upload and execute arbitrary files. |
Affected by 8 other vulnerabilities. |
|
VCID-zkg1-bed6-bbfv
Aliases: CVE-2017-7672 GHSA-9gp7-jvm2-r4mx |
If an application allows enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. Solution is to upgrade to Apache Struts version 2.5.12. |
Affected by 14 other vulnerabilities. |
|
VCID-zxww-8kb3-tufv
Aliases: CVE-2019-0233 GHSA-ccp5-gg58-pxfm |
Improper Preservation of Permissions in Apache Struts An access permission override in Apache Struts 2.0.0 to 2.5.20 may cause a Denial of Service when performing a file upload. |
Affected by 8 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-579w-2k2v-efa2 | In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack. |
CVE-2017-12611
GHSA-8fx9-5hx8-crhm |
| VCID-7c97-nj5a-hqb8 |
CVE-2017-5638
GHSA-j77q-2qqg-6989 |