CVE-2016-3081 – org.apache.struts:struts2-core

Package

Manager: maven
Name: org.apache.struts:struts2-core
Vulnerable Version: >=2.3.19 <2.3.20.3 || >=2.3.21 <2.3.24.3 || >=2.3.25 <2.3.28.1

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.94025 pctl0.9989

Details

Apache Struts RCE Vulnerability Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.

Metadata

Created: 2022-05-14T00:54:14Z
Modified: 2023-11-01T19:47:28Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-8c6j-ffmf-q6vm/GHSA-8c6j-ffmf-q6vm.json
CWE IDs: ["CWE-77"]
Alternative ID: GHSA-8c6j-ffmf-q6vm
Finding: F422
Auto approve: 1