PT-2016-3436 · Apache · Apache Struts
Nixawk
·
Published
2016-04-19
·
Updated
2022-05-14
·
CVE-2016-3081
CVSS v2.0
9.3
High
| Vector | AV:N/AC:M/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Apache Struts versions 2.3.19 through 2.3.20.2
Apache Struts versions 2.3.21 through 2.3.24.1
Apache Struts versions 2.3.25 through 2.3.28
Description
The issue is related to the implementation of the Dynamic Method Invocation (DMI) mechanism in Apache Struts, which fails to properly sanitize input data. This allows a remote attacker to execute arbitrary code using the
method: prefix, related to chained expressions.Recommendations
For Apache Struts versions 2.3.19 through 2.3.20.2, update to a version outside of this range to mitigate the risk.
For Apache Struts versions 2.3.21 through 2.3.24.1, update to a version outside of this range to mitigate the risk.
For Apache Struts versions 2.3.25 through 2.3.28, update to a version outside of this range to mitigate the risk.
As a temporary workaround, consider disabling Dynamic Method Invocation until a patch is available.
Exploit
Fix
RCE
Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Struts