org.apache.struts:struts2-core

Maven57 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting org.apache.struts:struts2-corepage 1 of 2

CVE-2008-6505NONECVSS 0.0✓ Fixed in 2.1.3
2009-03-23
vulnerable: 2.1.2
Multiple directory traversal vulnerabilities in Apache Struts 2.0.x before 2.0.12 and 2.1.x before 2.1.3 allow remote attackers to read arbitrary files via a ..%252f (encoded dot dot slash) in a URI with a /struts/ path, related to (1) Fil…
CVE-2008-6682NONECVSS 0.0✓ Fixed in 2.1.1
2009-04-09
Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.0.x before 2.0.11.1 and 2.1.x before 2.1.1 allow remote attackers to inject arbitrary web script or HTML via vectors associated with improper handling of (1) " (double …
CVE-2010-1870NONECVSS 0.0✓ Fixed in 2.2.1
2010-08-17
vulnerable: 2.0.11 ... 2.1.8.1 (13 versions)
The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-…
CVE-2011-1772NONECVSS 0.0✓ Fixed in 2.2.3
2011-05-13
vulnerable: 2.0.11 ... 2.2.1.1 (15 versions)
Multiple cross-site scripting (XSS) vulnerabilities in XWork in Apache Struts 2.x before 2.2.3, and OpenSymphony XWork in OpenSymphony WebWork, allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) an acti…
CVE-2011-3923CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.3.1.2
2019-11-01
vulnerable: 2.0.11 ... 2.3.1.1 (19 versions)
Apache Struts before 2.3.1.2 allows remote attackers to bypass security protections in the ParameterInterceptor class and execute arbitrary commands.
CVE-2012-0391CRITICALCVSS 9.8EG 9.8⚠ KEV✓ Fixed in 2.2.3.1
2012-01-08
vulnerable: 2.0.11 ... 2.2.3 (16 versions)
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary …
CVE-2012-0392NONECVSS 0.0✓ Fixed in 2.2.3.1
2012-01-08
vulnerable: 2.0.11 ... 2.2.3 (16 versions)
The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution throu…
CVE-2012-0393NONECVSS 0.0✓ Fixed in 2.3.1.1
2012-01-08
vulnerable: 2.0.11 ... 2.3.1 (18 versions)
The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a…
CVE-2012-0838NONECVSS 0.0✓ Fixed in 2.2.3.1
2012-03-02
vulnerable: 2.0.11 ... 2.2.3 (16 versions)
Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to …
CVE-2012-1592HIGHCVSS 8.8EG 8.8✓ Fixed in 2.5.22
2019-12-05
vulnerable: 2.0.11 ... 2.5.8 (73 versions)
A local code execution issue exists in Apache Struts2 when processing malformed XSLT files, which could let a malicious user upload and execute arbitrary files.
CVE-2012-4386NONECVSS 0.0✓ Fixed in 2.3.4.1
2012-09-05
vulnerable: 2.0.11 ... 2.3.4 (22 versions)
The token check mechanism in Apache Struts 2.0.0 through 2.3.4 does not properly validate the token name configuration parameter, which allows remote attackers to perform cross-site request forgery (CSRF) attacks by setting the token name …
CVE-2013-1965NONECVSS 0.0✓ Fixed in 2.3.14.3
2013-07-10
vulnerable: 2.0.11 ... 2.3.8 (29 versions)
Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect.
CVE-2013-1966NONECVSS 0.0✓ Fixed in 2.3.14.2
2013-07-10
vulnerable: 2.0.11 ... 2.3.8 (28 versions)
Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag.
CVE-2013-2115HIGHCVSS 8.1✓ Fixed in 2.3.14.2
2013-07-10
vulnerable: 2.0.11 ... 2.3.8 (28 versions)
Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. NOTE: this issue is due to an inc…
CVE-2013-2134NONECVSS 0.0✓ Fixed in 2.3.14.3
2013-07-16
vulnerable: 2.0.11 ... 2.3.8 (29 versions)
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135.
CVE-2013-2135NONECVSS 0.0✓ Fixed in 2.3.14.3
2013-07-16
vulnerable: 2.0.11 ... 2.3.8 (29 versions)
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to be evaluated twice.
CVE-2013-2248NONECVSS 0.0✓ Fixed in 2.3.15.1
2013-07-20
vulnerable: 2.0.11 ... 2.3.8 (31 versions)
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a parameter using the (1) redirect: or (2) redirectActio…
CVE-2013-2251CRITICALCVSS 9.8EG 9.8⚠ KEV✓ Fixed in 2.3.15.1
2013-07-20
vulnerable: 2.0.11 ... 2.3.8 (31 versions)
Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.
CVE-2013-4310NONECVSS 0.0✓ Fixed in 2.3.15.3
2013-09-30
vulnerable: 2.0.11 ... 2.3.8 (33 versions)
Apache Struts 2.0.0 through 2.3.15.1 allows remote attackers to bypass access controls via a crafted action: prefix.
CVE-2013-4316NONECVSS 0.0✓ Fixed in 2.3.15.2
2013-09-30
vulnerable: 2.0.11 ... 2.3.8 (32 versions)
Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors.
CVE-2013-6348NONECVSS 0.0✓ Fixed in 2.3.16
2013-11-02
vulnerable: 2.0.11 ... 2.3.8 (34 versions)
Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.3.15.3 allow remote attackers to inject arbitrary web script or HTML via the namespace parameter to (1) actionNames.action and (2) showConfig.action in config-browser/.
CVE-2014-0094NONECVSS 0.0✓ Fixed in 2.3.16.2
2014-03-11
vulnerable: 2.0.11 ... 2.3.8 (36 versions)
The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method.
CVE-2014-0112NONECVSS 0.0✓ Fixed in 2.3.20
2014-04-29
vulnerable: 2.0.11 ... 2.3.8 (38 versions)
ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulne…
CVE-2014-0113NONECVSS 0.0✓ Fixed in 2.3.20
2014-04-29
vulnerable: 2.0.11 ... 2.3.8 (38 versions)
CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code…
CVE-2014-0116NONECVSS 0.0✓ Fixed in 2.3.20
2014-05-08
vulnerable: 2.0.11 ... 2.3.8 (38 versions)
CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and modify session sta…
CVE-2014-7809NONECVSS 0.0✓ Fixed in 2.3.20
2014-12-10
vulnerable: 2.0.11 ... 2.3.8 (38 versions)
Apache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable <s:token/> values, which allows remote attackers to bypass the CSRF protection mechanism.
CVE-2015-1831NONECVSS 0.0EG 0.0✓ Fixed in 2.3.20.1
2015-07-16
vulnerable: 2.0.11 ... 2.3.8 (39 versions)
The default exclude patterns (excludeParams) in Apache Struts 2.3.20 allow remote attackers to "compromise internal state of an application" via unspecified vectors.
CVE-2015-2992MEDIUMCVSS 6.1EG 6.1✓ Fixed in 2.3.20
2020-02-27
vulnerable: 2.0.11 ... 2.3.8 (38 versions)
Apache Struts before 2.3.20 has a cross-site scripting (XSS) vulnerability.
CVE-2015-5169MEDIUMCVSS 6.1EG 6.1✓ Fixed in 2.3.20
2017-09-25
vulnerable: 2.0.11 ... 2.3.8 (38 versions)
Cross-site scripting (XSS) vulnerability in Apache Struts before 2.3.20.
CVE-2015-5209HIGHCVSS 7.5EG 7.5✓ Fixed in 2.3.24.1
2017-08-29
vulnerable: 2.0.11 ... 2.3.8 (42 versions)
Apache Struts 2.x before 2.3.24.1 allows remote attackers to manipulate Struts internals, alter user sessions, or affect container settings via vectors involving a top object.
CVE-2016-0785HIGHCVSS 8.8EG 8.8✓ Fixed in 2.3.24.3
2016-04-12
vulnerable: 2.3.24, 2.3.24.1
Apache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation.
CVE-2016-2162MEDIUMCVSS 6.1EG 6.1✓ Fixed in 2.3.28
2016-04-12
vulnerable: 2.0.11 ... 2.3.8 (44 versions)
Apache Struts 2.x before 2.3.25 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors involving language display.
CVE-2016-3081HIGHCVSS 8.1EG 9.0✓ Fixed in 2.3.28.1
2016-04-26
vulnerable: 2.3.28
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.
CVE-2016-3082CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.3.28.1
2016-04-26
vulnerable: 2.3.28
XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter.
CVE-2016-3087CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.3.28.1
2016-06-07
vulnerable: 2.3.28
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an ! (exclamation mark) operator to the REST Plu…
CVE-2016-3093MEDIUMCVSS 5.3EG 5.3✓ Fixed in 2.3.24.3
2016-06-07
vulnerable: 2.0.11 ... 2.3.8 (43 versions)
Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors.
CVE-2016-4003MEDIUMCVSS 6.1EG 6.1✓ Fixed in 2.3.28
2016-04-12
vulnerable: 2.0.11 ... 2.3.8 (44 versions)
Cross-site scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via m…
CVE-2016-4436CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.5.1
2016-10-03
vulnerable: 2.5, 2.5-BETA1, 2.5-BETA2, 2.5-BETA3
Apache Struts 2 before 2.3.29 and 2.5.x before 2.5.1 allow attackers to have unspecified impact via vectors related to improper action name clean up.
CVE-2016-4438CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.3.29
2016-07-04
vulnerable: 2.3.20 ... 2.3.28.1 (8 versions)
The REST plugin in Apache Struts 2 2.3.19 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression.
CVE-2016-4461HIGHCVSS 8.8EG 8.8✓ Fixed in 2.3.29
2017-10-16
vulnerable: 2.0.11 ... 2.3.8 (46 versions)
Apache Struts 2.x before 2.3.29 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0785.
CVE-2016-4465MEDIUMCVSS 5.3EG 5.3✓ Fixed in 2.5.13
2016-07-04
vulnerable: 2.5 ... 2.5.8 (8 versions)
The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field.
CVE-2016-8738MEDIUMCVSS 5.9EG 5.9✓ Fixed in 2.5.13
2017-09-20
vulnerable: 2.5 ... 2.5.8 (8 versions)
In Apache Struts 2.5 through 2.5.5, if an application allows entering a URL in a form field and the built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing valida…
CVE-2017-12611CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.5.11
2017-09-20
vulnerable: 2.5 ... 2.5.8 (7 versions)
In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack.
CVE-2017-5638CRITICALCVSS 9.8EG 9.8⚠ KEV✓ Fixed in 2.5.10.1
2017-03-11
vulnerable: 2.5 ... 2.5.8 (6 versions)
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary com…
CVE-2017-7672MEDIUMCVSS 5.9EG 5.9✓ Fixed in 2.5.12
2017-07-13
vulnerable: 2.5 ... 2.5.8 (7 versions)
If an application allows enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. Solution is to upgrade to…
CVE-2017-9787HIGHCVSS 7.5EG 7.5✓ Fixed in 2.5.12
2017-07-13
vulnerable: 2.5 ... 2.5.8 (7 versions)
When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack. Solution is to upgrade to Apache Struts version 2.5.12 or 2.3.33.
CVE-2017-9804HIGHCVSS 7.5EG 7.5✓ Fixed in 2.5.13
2017-09-20
vulnerable: 2.5 ... 2.5.8 (8 versions)
In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process …
CVE-2018-11776HIGHCVSS 8.1EG 9.0⚠ KEV✓ Fixed in 2.5.17
2018-08-22
vulnerable: 2.5 ... 2.5.8 (12 versions)
Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and i…
CVE-2019-0230CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.5.22
2020-09-14
vulnerable: 2.0.11 ... 2.5.8 (73 versions)
Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
CVE-2019-0233HIGHCVSS 7.5EG 7.5✓ Fixed in 2.5.22
2020-09-14
vulnerable: 2.0.11 ... 2.5.8 (73 versions)
An access permission override in Apache Struts 2.0.0 to 2.5.20 may cause a Denial of Service when performing a file upload.

Check whether org.apache.struts:struts2-core is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for org.apache.struts:struts2-core CVEs against the assets you own.

Start Free Scan →