1. Home
  2. Security Advisories
  3. Maven
  4. MAVEN:GHSA-44HV-JJX7-QFJG

[MAVEN:GHSA-44HV-JJX7-QFJG] Path Traversal in Apache Struts

Severity Critical
Affected Packages 2
Fixed Packages 2
CVEs 1
Info Packages References Vulnerabilities

In Apache Struts 2.3.x before 2.3.31, and 2.5.x before 2.5.5, it is possible to prepare a special URL which will be used for path traversal and execution of arbitrary code on server side. This vulnerability is only exploitable when using the Struts 2 Convention plugin in conjunction with Apache Struts.

Package Affected Version
pkg:maven/org.apache.struts/struts2-convention-plugin >= 2.5.0, < 2.5.5
pkg:maven/org.apache.struts/struts2-convention-plugin >= 2.3.0, < 2.3.31
Package Fixed Version
pkg:maven/org.apache.struts/struts2-convention-plugin = 2.5.5
pkg:maven/org.apache.struts/struts2-convention-plugin = 2.3.31
ID
MAVEN:GHSA-44HV-JJX7-QFJG
Severity
critical
URL
https://github.com/advisories/GHSA-44hv-jjx7-qfjg
Published
2022-05-14T00:54:13
(2 years ago)
Modified
2024-01-04T20:43:48
(8 months ago)
Rights
Maven Security Team
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.apache.struts/struts2-convention-plugin org.apache.struts struts2-convention-plugin >= 2.5.0 < 2.5.5
Fixed pkg:maven/org.apache.struts/struts2-convention-plugin org.apache.struts struts2-convention-plugin = 2.5.5
Affected pkg:maven/org.apache.struts/struts2-convention-plugin org.apache.struts struts2-convention-plugin >= 2.3.0 < 2.3.31
Fixed pkg:maven/org.apache.struts/struts2-convention-plugin org.apache.struts struts2-convention-plugin = 2.3.31
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date