PT-2016-3436 · Apache · Apache Struts
Nixawk
·
Publicado
2016-04-19
·
Atualizado
2022-05-14
·
CVE-2016-3081
CVSS v2.0
9.3
Alta
| Vetor | AV:N/AC:M/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Apache Struts versions 2.3.19 through 2.3.20.2
Apache Struts versions 2.3.21 through 2.3.24.1
Apache Struts versions 2.3.25 through 2.3.28
Description
The issue is related to the implementation of the Dynamic Method Invocation (DMI) mechanism in Apache Struts, which fails to properly sanitize input data. This allows a remote attacker to execute arbitrary code using the
method: prefix, related to chained expressions.Recommendations
For Apache Struts versions 2.3.19 through 2.3.20.2, update to a version outside of this range to mitigate the risk.
For Apache Struts versions 2.3.21 through 2.3.24.1, update to a version outside of this range to mitigate the risk.
For Apache Struts versions 2.3.25 through 2.3.28, update to a version outside of this range to mitigate the risk.
As a temporary workaround, consider disabling Dynamic Method Invocation until a patch is available.
Exploit
Correção
RCE
Command Injection
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Apache Struts