PT-2016-1804 · Apache · Apache Struts
Publicado
2016-04-26
·
Atualizado
2022-05-17
·
CVE-2016-3082
CVSS v3.1
10
Crítica
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Apache Struts versions 2.x before 2.3.20.2
Apache Struts versions 2.3.24.x before 2.3.24.2
Apache Struts versions 2.3.28.x before 2.3.28.1
Description
The issue is related to the XSLTResult class in Apache Struts, which is vulnerable due to insufficient input validation. This allows remote attackers to execute arbitrary code via the
stylesheetLocation parameter. The vulnerability can be exploited by passing a malicious stylesheet location as a request parameter, potentially leading to remote code execution.Recommendations
For Apache Struts versions 2.x before 2.3.20.2, update to version 2.3.20.2 or later.
For Apache Struts versions 2.3.24.x before 2.3.24.2, update to version 2.3.24.2 or later.
For Apache Struts versions 2.3.28.x before 2.3.28.1, update to version 2.3.28.1 or later.
As a temporary workaround, consider restricting access to the
stylesheetLocation parameter to minimize the risk of exploitation.Correção
RCE
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Apache Struts