CVE-2016-3087 – org.apache.struts:struts2-core

Package

Manager: maven
Name: org.apache.struts:struts2-core
Vulnerable Version: >=2.3.19 <2.3.20.3 || >=2.3.21 <2.3.24.3 || >=2.3.25 <2.3.28.1

Severity

Level: Critical

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.86541 pctl0.99379

Details

Apache Struts vulnerable to arbitrary remote code execution due to improper input validation Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an `!` (exclamation mark) operator to the REST Plugin.

Metadata

Created: 2022-05-14T00:54:14Z
Modified: 2023-12-29T17:27:42Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-mmj6-cjj4-hpr5/GHSA-mmj6-cjj4-hpr5.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-mmj6-cjj4-hpr5
Finding: F184
Auto approve: 1