CVE-2016-4461

8.8HIGH

Key Information:

Vendor: Apache
Status: Struts
Vendor: CVE Published:; 16 October 2017

Summary

Apache Struts 2.x before 2.3.29 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0785.

References

http://www.securityfocus.com/bid/91277

vdb-entryx_refsource_BID

https://struts.apache.org/docs/s2-036.html

x_refsource_CONFIRM

https://security.netapp.com/advisory/ntap-20180629-0004/

x_refsource_CONFIRM

EPSS Score

8% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 16, 2017
Vulnerability Reserved
May 2, 2016