Remote Code Execution Vulnerability in Apache Struts 2.x
CVE-2016-4461

8.8HIGH

Key Information:

Vendor
Apache
Status
Struts
Vendor
CVE Published:
16 October 2017

Summary

An issue in Apache Struts 2.x versions prior to 2.3.29 enables remote attackers to execute arbitrary code through crafted tag attributes. This vulnerability arises from an incomplete fix related to forced double OGNL evaluation, allowing malicious actors to manipulate execution flow and run unintended commands on compromised systems.

References

http://www.securityfocus.com/bid/91277
vdb-entryx_refsource_BID
https://struts.apache.org/docs/s2-036.html
x_refsource_CONFIRM
https://security.netapp.com/advisory/ntap-20180629-0004/
x_refsource_CONFIRM

EPSS Score

8% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.