CVE-2016-3087
CRITICAL9.8EPSS 87.0%Apache Struts vulnerable to arbitrary remote code execution due to improper input validation
Published: 5/14/2022Modified: 2/22/2024
Description
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an `!` (exclamation mark) operator to the REST Plugin.
Affected packages (1)
- Maven/org.apache.struts:struts2-core>= 2.3.19, < 2.3.20.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2016-3087
- PATCHhttps://github.com/apache/struts
- WEBhttps://github.com/apache/struts/commit/6bd694b7980494c12d49ca1bf39f12aec3e03e2f
- WEBhttp://struts.apache.org/docs/s2-033.html
- WEBhttps://web.archive.org/web/20160616082237/http://www.securitytracker.com/id/1036017
- WEBhttps://web.archive.org/web/20160728170709/http://www.securityfocus.com/bid/90960
- WEBhttps://www.exploit-db.com/exploits/39919
- WEBhttp://www-01.ibm.com/support/docview.wss?uid=swg21987854