[MAVEN:GHSA-8C6J-FFMF-Q6VM] Apache Struts RCE Vulnerability

Severity High

Affected Packages 3

Fixed Packages 3

CVEs 1

Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.

Package	Affected Version
pkg:maven/org.apache.struts/struts2-core	>= 2.3.21, <= 2.3.24.2
pkg:maven/org.apache.struts/struts2-core	>= 2.3.25, <= 2.3.28
pkg:maven/org.apache.struts/struts2-core	>= 2.3.19, <= 2.3.20.2

Package	Fixed Version
pkg:maven/org.apache.struts/struts2-core	= 2.3.24.3
pkg:maven/org.apache.struts/struts2-core	= 2.3.28.1
pkg:maven/org.apache.struts/struts2-core	= 2.3.20.3

ID: MAVEN:GHSA-8C6J-FFMF-Q6VM
Severity: high
URL: https://github.com/advisories/GHSA-8c6j-ffmf-q6vm
Published: 2022-05-14T00:54:14
(2 years ago)
Modified: 2023-11-01T19:47:30
(10 months ago)
Rights: Maven Security Team

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2016-3081
			https://struts.apache.org/docs/s2-032.html
			https://www.exploit-db.com/exploits/39756/
			http://packetstormsecurity.com/files/136856/Apache-Struts-2.3.28-Dynamic-Method-Invocation-Remote-Code-Execution.html
			http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20160527-01-struts2-en
			http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
			http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
			http://www.rapid7.com/db/modules/exploit/linux/http/struts_dmi_exec
			http://www.rapid7.com/db/modules/exploit/multi/http/struts_dmi_exec
			https://web.archive.org/web/20210123152457/http://www.securityfocus.com/bid/91787
			https://web.archive.org/web/20210225192113/http://www.securityfocus.com/bid/87327
			https://web.archive.org/web/20210226011418/http://www.securitytracker.com/id/1035665
			https://github.com/advisories/GHSA-8c6j-ffmf-q6vm

Type	Package URL	Namespace	Name / Product	Version
Affected	pkg:maven/org.apache.struts/struts2-core	org.apache.struts	struts2-core	>= 2.3.21 <= 2.3.24.2
Fixed	pkg:maven/org.apache.struts/struts2-core	org.apache.struts	struts2-core	= 2.3.24.3
Affected	pkg:maven/org.apache.struts/struts2-core	org.apache.struts	struts2-core	>= 2.3.25 <= 2.3.28
Fixed	pkg:maven/org.apache.struts/struts2-core	org.apache.struts	struts2-core	= 2.3.28.1
Affected	pkg:maven/org.apache.struts/struts2-core	org.apache.struts	struts2-core	>= 2.3.19 <= 2.3.20.2
Fixed	pkg:maven/org.apache.struts/struts2-core	org.apache.struts	struts2-core	= 2.3.20.3

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date