8.1
Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 2.2 / Impact: 5.9
Source: NVD
Description
Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace.
Affected (13)
Configuration B
| Vulnerable Software | Affected Versions |
|---|---|
| From 9.5 | |
| All versions | |
| All versions | |
| All versions |
Configuration C
| Vulnerable Software | Affected Versions |
|---|---|
| Before 12.5.0 | |
| Version 13.3.0.0 | |
| Up to 3.4.9.4237 |
References (39)
Source: security@apache.org
Third Party AdvisoryVDB Entry
Source: security@apache.org
Broken LinkMailing ListThird Party Advisory
Source: security@apache.org
PatchThird Party Advisory
Source: security@apache.org
PatchThird Party Advisory
Source: security@apache.org
Broken LinkThird Party AdvisoryVDB Entry
Source: security@apache.org
Broken LinkThird Party AdvisoryVDB Entry
Source: security@apache.org
Broken LinkThird Party AdvisoryVDB Entry
Source: security@apache.org
Issue TrackingThird Party Advisory
Source: security@apache.org
ExploitThird Party Advisory
Source: security@apache.org
ExploitThird Party Advisory
Source: security@apache.org
Mailing List
Source: security@apache.org
Third Party Advisory
Source: security@apache.org
Third Party Advisory
Source: security@apache.org
Third Party Advisory
Source: security@apache.org
ExploitThird Party AdvisoryVDB Entry
Source: security@apache.org
ExploitThird Party AdvisoryVDB Entry
Source: security@apache.org
ExploitThird Party AdvisoryVDB Entry
Source: security@apache.org
Third Party Advisory
Source: security@apache.org
PatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party AdvisoryVDB Entry
Source: af854a3a-2127-422b-91ae-364da2661108
Broken LinkMailing ListThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
PatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
PatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Broken LinkThird Party AdvisoryVDB Entry
Source: af854a3a-2127-422b-91ae-364da2661108
Broken LinkThird Party AdvisoryVDB Entry
Source: af854a3a-2127-422b-91ae-364da2661108
Broken LinkThird Party AdvisoryVDB Entry
Source: af854a3a-2127-422b-91ae-364da2661108
Issue TrackingThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitThird Party AdvisoryVDB Entry
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitThird Party AdvisoryVDB Entry
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitThird Party AdvisoryVDB Entry
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
PatchThird Party Advisory
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
US Government Resource
Timeline
No history available yet.