PT-2016-1804 · Apache · Apache Struts
Published
2016-04-26
·
Updated
2022-05-17
·
CVE-2016-3082
CVSS v3.1
10
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Apache Struts versions 2.x before 2.3.20.2
Apache Struts versions 2.3.24.x before 2.3.24.2
Apache Struts versions 2.3.28.x before 2.3.28.1
Description
The issue is related to the XSLTResult class in Apache Struts, which is vulnerable due to insufficient input validation. This allows remote attackers to execute arbitrary code via the
stylesheetLocation parameter. The vulnerability can be exploited by passing a malicious stylesheet location as a request parameter, potentially leading to remote code execution.Recommendations
For Apache Struts versions 2.x before 2.3.20.2, update to version 2.3.20.2 or later.
For Apache Struts versions 2.3.24.x before 2.3.24.2, update to version 2.3.24.2 or later.
For Apache Struts versions 2.3.28.x before 2.3.28.1, update to version 2.3.28.1 or later.
As a temporary workaround, consider restricting access to the
stylesheetLocation parameter to minimize the risk of exploitation.Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Struts