{"url":"http://public2.vulnerablecode.io/api/packages/51204?format=json","purl":"pkg:maven/org.apache.struts/struts2-core@2.2.3","type":"maven","namespace":"org.apache.struts","name":"struts2-core","version":"2.2.3","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.3.31","latest_non_vulnerable_version":"7.1.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38856?format=json","vulnerability_id":"VCID-dvxu-9sh6-qbef","summary":"Improper Input Validation\nUsing an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack.","references":[{"reference_url":"https://struts.apache.org/docs/s2-053.html","reference_id":"","reference_type":"","scores":[],"url":"https://struts.apache.org/docs/s2-053.html"},{"reference_url":"http://www.securityfocus.com/bid/100829","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/100829"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-12611","reference_id":"CVE-2017-12611","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-12611"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/54100?format=json","purl":"pkg:maven/org.apache.struts/struts2-core@2.3.34","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.34"},{"url":"http://public2.vulnerablecode.io/api/packages/53731?format=json","purl":"pkg:maven/org.apache.struts/struts2-core@2.5.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-hrky-nmnv-g3eu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.5.12"}],"aliases":["CVE-2017-12611"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dvxu-9sh6-qbef"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37426?format=json","vulnerability_id":"VCID-kc4z-fnyk-tkdu","summary":"OGNL expression unexpected evaluation on conversion error\nThis package evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field.","references":[{"reference_url":"http://jvndb.jvn.jp/jvndb/JVNDB-2012-000012","reference_id":"","reference_type":"","scores":[],"url":"http://jvndb.jvn.jp/jvndb/JVNDB-2012-000012"},{"reference_url":"http://jvn.jp/en/jp/JVN79099262/index.html","reference_id":"","reference_type":"","scores":[],"url":"http://jvn.jp/en/jp/JVN79099262/index.html"},{"reference_url":"https://github.com/apache/struts/commit/25e50069d60434a30395e3a98357ffba2bed427e","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/struts/commit/25e50069d60434a30395e3a98357ffba2bed427e"},{"reference_url":"https://github.com/apache/struts/commit/5f54b8d087f5125d96838aafa5f64c2190e6885b","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/struts/commit/5f54b8d087f5125d96838aafa5f64c2190e6885b"},{"reference_url":"https://github.com/apache/struts/commit/b4265d369dc29d57a9f2846a85b26598e83f3892","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/struts/commit/b4265d369dc29d57a9f2846a85b26598e83f3892"},{"reference_url":"https://issues.apache.org/jira/browse/WW-3668","reference_id":"","reference_type":"","scores":[],"url":"https://issues.apache.org/jira/browse/WW-3668"},{"reference_url":"http://struts.apache.org/2.3.1.2/docs/s2-007.html","reference_id":"","reference_type":"","scores":[],"url":"http://struts.apache.org/2.3.1.2/docs/s2-007.html"},{"reference_url":"http://struts.apache.org/docs/s2-007.html","reference_id":"","reference_type":"","scores":[],"url":"http://struts.apache.org/docs/s2-007.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2012-0838","reference_id":"CVE-2012-0838","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2012-0838"},{"reference_url":"https://github.com/advisories/GHSA-mwrx-hx6x-3hhv","reference_id":"GHSA-mwrx-hx6x-3hhv","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-mwrx-hx6x-3hhv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51236?format=json","purl":"pkg:maven/org.apache.struts/struts2-core@2.2.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dvxu-9sh6-qbef"},{"vulnerability":"VCID-z1jy-4da2-tyhk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.2.3.1"}],"aliases":["CVE-2012-0838","GHSA-mwrx-hx6x-3hhv"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kc4z-fnyk-tkdu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/38100?format=json","vulnerability_id":"VCID-z1jy-4da2-tyhk","summary":"Improper Input Validation\n`XSLTResult` in Apache Struts allows remote attackers to execute arbitrary code via the stylesheet location parameter.","references":[{"reference_url":"http://struts.apache.org/docs/s2-031.html","reference_id":"","reference_type":"","scores":[],"url":"http://struts.apache.org/docs/s2-031.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-3082","reference_id":"CVE-2016-3082","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-3082"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52682?format=json","purl":"pkg:maven/org.apache.struts/struts2-core@2.3.20.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-mmth-7rgf-aqfa"},{"vulnerability":"VCID-qdsq-8td3-5qa1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.20.3"},{"url":"http://public2.vulnerablecode.io/api/packages/52636?format=json","purl":"pkg:maven/org.apache.struts/struts2-core@2.3.24.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dvxu-9sh6-qbef"},{"vulnerability":"VCID-hrky-nmnv-g3eu"},{"vulnerability":"VCID-mmth-7rgf-aqfa"},{"vulnerability":"VCID-qdsq-8td3-5qa1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.24.3"},{"url":"http://public2.vulnerablecode.io/api/packages/52683?format=json","purl":"pkg:maven/org.apache.struts/struts2-core@2.3.28.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dvxu-9sh6-qbef"},{"vulnerability":"VCID-hrky-nmnv-g3eu"},{"vulnerability":"VCID-mmth-7rgf-aqfa"},{"vulnerability":"VCID-qdsq-8td3-5qa1"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.28.1"}],"aliases":["CVE-2016-3082"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-z1jy-4da2-tyhk"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37406?format=json","vulnerability_id":"VCID-emya-8et9-n7a9","summary":"Multiple XSS flaws in XWork\nMultiple cross-site scripting (XSS) vulnerabilities in XWork allow remote attackers to inject arbitrary web script or HTML via vectors involving an action name, the action attribute of an s:submit element, or the method attribute of an `s:submit` element.","references":[{"reference_url":"http://struts.apache.org/docs/s2-006.html","reference_id":"","reference_type":"","scores":[],"url":"http://struts.apache.org/docs/s2-006.html"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51204?format=json","purl":"pkg:maven/org.apache.struts/struts2-core@2.2.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dvxu-9sh6-qbef"},{"vulnerability":"VCID-kc4z-fnyk-tkdu"},{"vulnerability":"VCID-z1jy-4da2-tyhk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.2.3"}],"aliases":["CVE-2011-1772"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-emya-8et9-n7a9"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.2.3"}