Apache Struts vulnerable to arbitrary remote code execution due to improper input validation

GHSA-mmj6-cjj4-hpr5 · CVE-2016-3087

Published May 14, 2022 · Modified Feb 22, 2024

Description

Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an ! (exclamation mark) operator to the REST Plugin.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2016-3087
WEB https://github.com/apache/struts/commit/6bd694b7980494c12d49ca1bf39f12aec3e03e2f
PACKAGE https://github.com/apache/struts
WEB https://web.archive.org/web/20160616082237/http://www.securitytracker.com/id/1036017
WEB https://web.archive.org/web/20160728170709/http://www.securityfocus.com/bid/90960
WEB https://www.exploit-db.com/exploits/39919
WEB http://struts.apache.org/docs/s2-033.html
WEB http://www-01.ibm.com/support/docview.wss?uid=swg21987854

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes