Path Traversal and Code Execution Vulnerability in Apache Struts Convention Plugin
CVE-2016-6795
9.8CRITICAL
Summary
The Convention plugin in Apache Struts versions prior to 2.3.31 for 2.3.x and prior to 2.5.5 for 2.5.x is susceptible to a critical vulnerability. By crafting a specially designed URL, attackers can exploit this flaw to perform path traversal attacks, potentially leading to the execution of arbitrary code on the server. This vulnerability poses significant risk as it allows unauthorized access to sensitive data and system controls.
Affected Version(s)
Apache Struts 2.3.x before 2.3.31
Apache Struts 2.5.x before 2.5.5
References
EPSS Score
10% chance of being exploited in the next 30 days.
CVSS V3.1
Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved