CVE-2016-4461

Published: Oct 16, 2017Modified: May 13, 2026

8.8

Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

Apache Struts 2.x before 2.3.29 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0785.

Affected (2)

Products: Apache: Struts · Netapp: Oncommand Balance

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Apache Struts	From 2.0.0 to 2.3.29

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Netapp Oncommand Balance	All versions

Related CWEs

CWE-20

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (6)

http://www.securityfocus.com/bid/91277

Source: secalert@redhat.com

Third Party AdvisoryVDB Entry

https://security.netapp.com/advisory/ntap-20180629-0004/

Source: secalert@redhat.com

Third Party Advisory

https://struts.apache.org/docs/s2-036.html

Source: secalert@redhat.com

MitigationVendor Advisory

http://www.securityfocus.com/bid/91277

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://security.netapp.com/advisory/ntap-20180629-0004/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://struts.apache.org/docs/s2-036.html

Source: af854a3a-2127-422b-91ae-364da2661108

MitigationVendor Advisory

Timeline

No history available yet.