struts2-core-2.3.24.3.jar: 27 vulnerabilities (highest severity is: 10.0) - autoclosed

Vulnerable Library - struts2-core-2.3.24.3.jar

Apache Struts 2

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.24.3/struts2-core-2.3.24.3.jar

Found in HEAD commit: 387611ba69708e64c4617199869cd6109736954c

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (struts2-core version)	Remediation Available
CVE-2017-5638	Critical	10.0	struts2-core-2.3.24.3.jar	Direct	2.3.32	❌
CVE-2021-31805	Critical	9.8	struts2-core-2.3.24.3.jar	Direct	2.3.28	❌
CVE-2016-6795	Critical	9.8	struts2-core-2.3.24.3.jar	Direct	2.3.31	❌
CVE-2019-0230	Critical	9.8	struts2-core-2.3.24.3.jar	Direct	2.5.22	❌
CVE-2017-12611	Critical	9.8	struts2-core-2.3.24.3.jar	Direct	2.3.34	❌
CVE-2016-4436	Critical	9.8	struts2-core-2.3.24.3.jar	Direct	2.3.29	❌
CVE-2020-17530	Critical	9.8	struts2-core-2.3.24.3.jar	Direct	2.5.26	❌
CVE-2016-1000031	Critical	9.8	commons-fileupload-1.3.1.jar	Transitive	2.3.37	❌
CVE-2016-4430	High	8.8	struts2-core-2.3.24.3.jar	Direct	2.3.29	❌
CVE-2016-4461	High	8.8	xwork-core-2.3.24.3.jar	Transitive	2.3.29	❌
CVE-2016-0785	High	8.8	xwork-core-2.3.24.3.jar	Transitive	2.3.28	❌
CVE-2018-11776	High	8.1	struts2-core-2.3.24.3.jar	Direct	2.3.35	❌
CVE-2016-4431	High	7.5	struts2-core-2.3.24.3.jar	Direct	2.3.29	❌
CVE-2016-4433	High	7.5	detected in multiple dependencies	Direct	2.3.29	❌
CVE-2017-9804	High	7.5	detected in multiple dependencies	Direct	2.3.34	❌
CVE-2023-24998	High	7.5	commons-fileupload-1.3.1.jar	Transitive	6.1.2	❌
CVE-2019-0233	High	7.5	struts2-core-2.3.24.3.jar	Direct	2.5.22	❌
CVE-2017-9787	High	7.5	detected in multiple dependencies	Transitive	2.3.33	❌
CVE-2016-3092	High	7.5	commons-fileupload-1.3.1.jar	Transitive	2.3.30	❌
CVE-2023-34396	High	7.5	struts2-core-2.3.24.3.jar	Direct	org.apache.struts:struts2-core:2.5.31,6.1.2.1	❌
WS-2014-0034	High	7.5	commons-fileupload-1.3.1.jar	Transitive	2.3.37	❌
CVE-2023-34149	Medium	6.5	struts2-core-2.3.24.3.jar	Direct	org.apache.struts:struts2-core:2.5.31,6.1.2.1	❌
CVE-2016-4003	Medium	6.1	struts2-core-2.3.24.3.jar	Direct	2.3.28	❌
CVE-2016-2162	Medium	6.1	xwork-core-2.3.24.3.jar	Transitive	2.3.28	❌
CVE-2016-3093	Medium	5.3	ognl-3.0.6.1.jar	Transitive	2.3.28	❌
CVE-2016-4465	Medium	5.3	detected in multiple dependencies	Transitive	2.3.29	❌
CVE-2021-29425	Medium	4.8	commons-io-2.2.jar	Transitive	6.1.2	❌

Details

Partial details (26 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2017-5638

### Vulnerable Library - struts2-core-2.3.24.3.jar

Apache Struts 2

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.24.3/struts2-core-2.3.24.3.jar

Dependency Hierarchy: - :x: **struts2-core-2.3.24.3.jar** (Vulnerable Library)

Found in HEAD commit: 387611ba69708e64c4617199869cd6109736954c

Found in base branch: master

### Vulnerability Details

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.

Publish Date: 2017-03-11

URL: CVE-2017-5638

### CVSS 3 Score Details (10.0)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2017-03-11

Fix Resolution: 2.3.32

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2021-31805

### Vulnerable Library - struts2-core-2.3.24.3.jar

Apache Struts 2

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.24.3/struts2-core-2.3.24.3.jar

Dependency Hierarchy: - :x: **struts2-core-2.3.24.3.jar** (Vulnerable Library)

Found in HEAD commit: 387611ba69708e64c4617199869cd6109736954c

Found in base branch: master

### Vulnerability Details

The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.

Publish Date: 2022-04-12

URL: CVE-2021-31805

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cwiki.apache.org/confluence/display/WW/S2-062

Release Date: 2022-04-12

Fix Resolution: 2.3.28

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2016-6795

### Vulnerable Library - struts2-core-2.3.24.3.jar

Apache Struts 2

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.24.3/struts2-core-2.3.24.3.jar

Dependency Hierarchy: - :x: **struts2-core-2.3.24.3.jar** (Vulnerable Library)

Found in HEAD commit: 387611ba69708e64c4617199869cd6109736954c

Found in base branch: master

### Vulnerability Details

In the Convention plugin in Apache Struts 2.3.x before 2.3.31, and 2.5.x before 2.5.5, it is possible to prepare a special URL which will be used for path traversal and execution of arbitrary code on server side.

Publish Date: 2017-09-20

URL: CVE-2016-6795

### CVSS 3 Score Details (9.8)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2016-10-18

Fix Resolution: 2.3.31

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2019-0230

### Vulnerable Library - struts2-core-2.3.24.3.jar

Apache Struts 2

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.24.3/struts2-core-2.3.24.3.jar

Dependency Hierarchy: - :x: **struts2-core-2.3.24.3.jar** (Vulnerable Library)

Found in HEAD commit: 387611ba69708e64c4617199869cd6109736954c

Found in base branch: master

### Vulnerability Details

Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.

Publish Date: 2020-09-14

URL: CVE-2019-0230

### CVSS 3 Score Details (9.8)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cwiki.apache.org/confluence/display/ww/s2-059

Release Date: 2020-09-14

Fix Resolution: 2.5.22

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2017-12611

### Vulnerable Library - struts2-core-2.3.24.3.jar

Apache Struts 2

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.24.3/struts2-core-2.3.24.3.jar

Dependency Hierarchy: - :x: **struts2-core-2.3.24.3.jar** (Vulnerable Library)

Found in HEAD commit: 387611ba69708e64c4617199869cd6109736954c

Found in base branch: master

### Vulnerability Details

In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack.

Publish Date: 2017-09-20

URL: CVE-2017-12611

### CVSS 3 Score Details (9.8)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cwiki.apache.org/confluence/display/WW/S2-053

Release Date: 2017-09-07

Fix Resolution: 2.3.34

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2016-4436

### Vulnerable Library - struts2-core-2.3.24.3.jar

Apache Struts 2

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.24.3/struts2-core-2.3.24.3.jar

Dependency Hierarchy: - :x: **struts2-core-2.3.24.3.jar** (Vulnerable Library)

Found in HEAD commit: 387611ba69708e64c4617199869cd6109736954c

Found in base branch: master

### Vulnerability Details

Apache Struts 2 before 2.3.29 and 2.5.x before 2.5.1 allow attackers to have unspecified impact via vectors related to improper action name clean up.

Publish Date: 2016-10-03

URL: CVE-2016-4436

### CVSS 3 Score Details (9.8)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2016-10-03

Fix Resolution: 2.3.29

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2020-17530

### Vulnerable Library - struts2-core-2.3.24.3.jar

Apache Struts 2

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.24.3/struts2-core-2.3.24.3.jar

Dependency Hierarchy: - :x: **struts2-core-2.3.24.3.jar** (Vulnerable Library)

Found in HEAD commit: 387611ba69708e64c4617199869cd6109736954c

Found in base branch: master

### Vulnerability Details

Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.

Publish Date: 2020-12-11

URL: CVE-2020-17530

### CVSS 3 Score Details (9.8)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cwiki.apache.org/confluence/display/WW/S2-061

Release Date: 2020-12-11

Fix Resolution: 2.5.26

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2016-1000031

### Vulnerable Library - commons-fileupload-1.3.1.jar

The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.

Library home page: http://commons.apache.org/proper/commons-fileupload/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.3.1/commons-fileupload-1.3.1.jar

Dependency Hierarchy: - struts2-core-2.3.24.3.jar (Root Library) - :x: **commons-fileupload-1.3.1.jar** (Vulnerable Library)

Found in HEAD commit: 387611ba69708e64c4617199869cd6109736954c

Found in base branch: master

### Vulnerability Details

Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution

Publish Date: 2016-10-25

URL: CVE-2016-1000031

### CVSS 3 Score Details (9.8)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031

Release Date: 2016-10-25

Fix Resolution (commons-fileupload:commons-fileupload): 1.3.3

Direct dependency fix Resolution (org.apache.struts:struts2-core): 2.3.37

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2016-4430

### Vulnerable Library - struts2-core-2.3.24.3.jar

Apache Struts 2

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.24.3/struts2-core-2.3.24.3.jar

Dependency Hierarchy: - :x: **struts2-core-2.3.24.3.jar** (Vulnerable Library)

Found in HEAD commit: 387611ba69708e64c4617199869cd6109736954c

Found in base branch: master

### Vulnerability Details

Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors.

Publish Date: 2016-07-04

URL: CVE-2016-4430

### CVSS 3 Score Details (8.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4430

Release Date: 2016-07-04

Fix Resolution: 2.3.29

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2016-4461

### Vulnerable Library - xwork-core-2.3.24.3.jar

Apache Struts 2

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.24.3/xwork-core-2.3.24.3.jar

Dependency Hierarchy: - struts2-core-2.3.24.3.jar (Root Library) - :x: **xwork-core-2.3.24.3.jar** (Vulnerable Library)

Found in HEAD commit: 387611ba69708e64c4617199869cd6109736954c

Found in base branch: master

### Vulnerability Details

Apache Struts 2.x before 2.3.29 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0785.

Publish Date: 2017-10-16

URL: CVE-2016-4461

### CVSS 3 Score Details (8.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2017-10-16

Fix Resolution (org.apache.struts.xwork:xwork-core): 2.3.29

Direct dependency fix Resolution (org.apache.struts:struts2-core): 2.3.29

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2016-0785

### Vulnerable Library - xwork-core-2.3.24.3.jar

Apache Struts 2

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.24.3/xwork-core-2.3.24.3.jar

Dependency Hierarchy: - struts2-core-2.3.24.3.jar (Root Library) - :x: **xwork-core-2.3.24.3.jar** (Vulnerable Library)

Found in HEAD commit: 387611ba69708e64c4617199869cd6109736954c

Found in base branch: master

### Vulnerability Details

Apache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation.

Publish Date: 2016-04-12

URL: CVE-2016-0785

### CVSS 3 Score Details (8.8)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2016-04-12

Fix Resolution (org.apache.struts.xwork:xwork-core): 2.3.28

Direct dependency fix Resolution (org.apache.struts:struts2-core): 2.3.28

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2018-11776

### Vulnerable Library - struts2-core-2.3.24.3.jar

Apache Struts 2

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.24.3/struts2-core-2.3.24.3.jar

Dependency Hierarchy: - :x: **struts2-core-2.3.24.3.jar** (Vulnerable Library)

Found in HEAD commit: 387611ba69708e64c4617199869cd6109736954c

Found in base branch: master

### Vulnerability Details

Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace.

Publish Date: 2018-08-22

URL: CVE-2018-11776

### CVSS 3 Score Details (8.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-11776

Release Date: 2018-08-22

Fix Resolution: 2.3.35

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2016-4431

### Vulnerable Library - struts2-core-2.3.24.3.jar

Apache Struts 2

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.24.3/struts2-core-2.3.24.3.jar

Dependency Hierarchy: - :x: **struts2-core-2.3.24.3.jar** (Vulnerable Library)

Found in HEAD commit: 387611ba69708e64c4617199869cd6109736954c

Found in base branch: master

### Vulnerability Details

Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks by leveraging a default method.

Publish Date: 2016-07-04

URL: CVE-2016-4431

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2016-07-04

Fix Resolution: 2.3.29

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2016-4433

### Vulnerable Libraries - struts2-core-2.3.24.3.jar, xwork-core-2.3.24.3.jar

### struts2-core-2.3.24.3.jar

Apache Struts 2

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.24.3/struts2-core-2.3.24.3.jar

Dependency Hierarchy: - :x: **struts2-core-2.3.24.3.jar** (Vulnerable Library) ### xwork-core-2.3.24.3.jar

Apache Struts 2

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.24.3/xwork-core-2.3.24.3.jar

Dependency Hierarchy: - struts2-core-2.3.24.3.jar (Root Library) - :x: **xwork-core-2.3.24.3.jar** (Vulnerable Library)

Found in HEAD commit: 387611ba69708e64c4617199869cd6109736954c

Found in base branch: master

### Vulnerability Details

Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request.

Publish Date: 2016-07-04

URL: CVE-2016-4433

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2016-07-04

Fix Resolution (org.apache.struts.xwork:xwork-core): 2.3.28.1

Direct dependency fix Resolution (org.apache.struts:struts2-core): 2.3.28.1

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2017-9804

### Vulnerable Libraries - struts2-core-2.3.24.3.jar, xwork-core-2.3.24.3.jar

### struts2-core-2.3.24.3.jar

Apache Struts 2

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.24.3/struts2-core-2.3.24.3.jar

Dependency Hierarchy: - :x: **struts2-core-2.3.24.3.jar** (Vulnerable Library) ### xwork-core-2.3.24.3.jar

Apache Struts 2

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.24.3/xwork-core-2.3.24.3.jar

Dependency Hierarchy: - struts2-core-2.3.24.3.jar (Root Library) - :x: **xwork-core-2.3.24.3.jar** (Vulnerable Library)

Found in HEAD commit: 387611ba69708e64c4617199869cd6109736954c

Found in base branch: master

### Vulnerability Details

In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. NOTE: this vulnerability exists because of an incomplete fix for S2-047 / CVE-2017-7672.

Publish Date: 2017-09-20

URL: CVE-2017-9804

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2017-09-05

Fix Resolution (org.apache.struts.xwork:xwork-core): 2.3.34

Direct dependency fix Resolution (org.apache.struts:struts2-core): 2.3.34

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2023-24998

### Vulnerable Library - commons-fileupload-1.3.1.jar

The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.

Library home page: http://commons.apache.org/proper/commons-fileupload/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.3.1/commons-fileupload-1.3.1.jar

Dependency Hierarchy: - struts2-core-2.3.24.3.jar (Root Library) - :x: **commons-fileupload-1.3.1.jar** (Vulnerable Library)

Found in HEAD commit: 387611ba69708e64c4617199869cd6109736954c

Found in base branch: master

### Vulnerability Details

Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.

Publish Date: 2023-02-20

URL: CVE-2023-24998

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://tomcat.apache.org/security-10.html

Release Date: 2023-02-20

Fix Resolution (commons-fileupload:commons-fileupload): 1.5

Direct dependency fix Resolution (org.apache.struts:struts2-core): 6.1.2

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2019-0233

### Vulnerable Library - struts2-core-2.3.24.3.jar

Apache Struts 2

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.24.3/struts2-core-2.3.24.3.jar

Dependency Hierarchy: - :x: **struts2-core-2.3.24.3.jar** (Vulnerable Library)

Found in HEAD commit: 387611ba69708e64c4617199869cd6109736954c

Found in base branch: master

### Vulnerability Details

An access permission override in Apache Struts 2.0.0 to 2.5.20 may cause a Denial of Service when performing a file upload.

Publish Date: 2020-09-14

URL: CVE-2019-0233

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cwiki.apache.org/confluence/display/ww/s2-060

Release Date: 2020-09-14

Fix Resolution: 2.5.22

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2017-9787

### Vulnerable Libraries - xwork-core-2.3.24.3.jar, struts2-core-2.3.24.3.jar

### xwork-core-2.3.24.3.jar

Apache Struts 2

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.24.3/xwork-core-2.3.24.3.jar

Dependency Hierarchy: - struts2-core-2.3.24.3.jar (Root Library) - :x: **xwork-core-2.3.24.3.jar** (Vulnerable Library) ### struts2-core-2.3.24.3.jar

Apache Struts 2

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.24.3/struts2-core-2.3.24.3.jar

Dependency Hierarchy: - :x: **struts2-core-2.3.24.3.jar** (Vulnerable Library)

Found in HEAD commit: 387611ba69708e64c4617199869cd6109736954c

Found in base branch: master

### Vulnerability Details

When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack. Solution is to upgrade to Apache Struts version 2.5.12 or 2.3.33.

Publish Date: 2017-07-13

URL: CVE-2017-9787

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2017-07-13

Fix Resolution (org.apache.struts.xwork:xwork-core): 2.3.33

Direct dependency fix Resolution (org.apache.struts:struts2-core): 2.3.33

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2016-3092

### Vulnerable Library - commons-fileupload-1.3.1.jar

The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.

Library home page: http://commons.apache.org/proper/commons-fileupload/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.3.1/commons-fileupload-1.3.1.jar

Dependency Hierarchy: - struts2-core-2.3.24.3.jar (Root Library) - :x: **commons-fileupload-1.3.1.jar** (Vulnerable Library)

Found in HEAD commit: 387611ba69708e64c4617199869cd6109736954c

Found in base branch: master

### Vulnerability Details

The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.

Publish Date: 2016-07-04

URL: CVE-2016-3092

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092

Release Date: 2016-07-04

Fix Resolution (commons-fileupload:commons-fileupload): 1.3.2

Direct dependency fix Resolution (org.apache.struts:struts2-core): 2.3.30

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2023-34396

### Vulnerable Library - struts2-core-2.3.24.3.jar

Apache Struts 2

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.24.3/struts2-core-2.3.24.3.jar

Dependency Hierarchy: - :x: **struts2-core-2.3.24.3.jar** (Vulnerable Library)

Found in HEAD commit: 387611ba69708e64c4617199869cd6109736954c

Found in base branch: master

### Vulnerability Details

Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater

Publish Date: 2023-06-14

URL: CVE-2023-34396

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-4g42-gqrg-4633

Release Date: 2023-06-14

Fix Resolution: org.apache.struts:struts2-core:2.5.31,6.1.2.1

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

WS-2014-0034

### Vulnerable Library - commons-fileupload-1.3.1.jar

The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.

Library home page: http://commons.apache.org/proper/commons-fileupload/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.3.1/commons-fileupload-1.3.1.jar

Dependency Hierarchy: - struts2-core-2.3.24.3.jar (Root Library) - :x: **commons-fileupload-1.3.1.jar** (Vulnerable Library)

Found in HEAD commit: 387611ba69708e64c4617199869cd6109736954c

Found in base branch: master

### Vulnerability Details

The class FileUploadBase in Apache Commons Fileupload before 1.4 has potential resource leak - InputStream not closed on exception.

Publish Date: 2014-02-17

URL: WS-2014-0034

### CVSS 3 Score Details (7.5)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2014-02-17

Fix Resolution (commons-fileupload:commons-fileupload): 1.4

Direct dependency fix Resolution (org.apache.struts:struts2-core): 2.3.37

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2023-34149

### Vulnerable Library - struts2-core-2.3.24.3.jar

Apache Struts 2

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.24.3/struts2-core-2.3.24.3.jar

Dependency Hierarchy: - :x: **struts2-core-2.3.24.3.jar** (Vulnerable Library)

Found in HEAD commit: 387611ba69708e64c4617199869cd6109736954c

Found in base branch: master

### Vulnerability Details

Publish Date: 2023-06-14

URL: CVE-2023-34149

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-8f6x-v685-g2xc

Release Date: 2023-06-14

Fix Resolution: org.apache.struts:struts2-core:2.5.31,6.1.2.1

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2016-4003

### Vulnerable Library - struts2-core-2.3.24.3.jar

Apache Struts 2

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.24.3/struts2-core-2.3.24.3.jar

Dependency Hierarchy: - :x: **struts2-core-2.3.24.3.jar** (Vulnerable Library)

Found in HEAD commit: 387611ba69708e64c4617199869cd6109736954c

Found in base branch: master

### Vulnerability Details

Cross-site scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via multi-byte characters in a url-encoded parameter.

Publish Date: 2016-04-12

URL: CVE-2016-4003

### CVSS 3 Score Details (6.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2016-04-12

Fix Resolution: 2.3.28

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2016-2162

### Vulnerable Library - xwork-core-2.3.24.3.jar

Apache Struts 2

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.24.3/xwork-core-2.3.24.3.jar

Dependency Hierarchy: - struts2-core-2.3.24.3.jar (Root Library) - :x: **xwork-core-2.3.24.3.jar** (Vulnerable Library)

Found in HEAD commit: 387611ba69708e64c4617199869cd6109736954c

Found in base branch: master

### Vulnerability Details

Apache Struts 2.x before 2.3.25 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors involving language display.

Publish Date: 2016-04-12

URL: CVE-2016-2162

### CVSS 3 Score Details (6.1)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2016-04-12

Fix Resolution (org.apache.struts.xwork:xwork-core): 2.3.28

Direct dependency fix Resolution (org.apache.struts:struts2-core): 2.3.28

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2016-3093

### Vulnerable Library - ognl-3.0.6.1.jar

OGNL - Object Graph Navigation Library

Library home page: http://ognl.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ognl/ognl/3.0.6.1/ognl-3.0.6.1.jar

Dependency Hierarchy: - struts2-core-2.3.24.3.jar (Root Library) - xwork-core-2.3.24.3.jar - :x: **ognl-3.0.6.1.jar** (Vulnerable Library)

Found in HEAD commit: 387611ba69708e64c4617199869cd6109736954c

Found in base branch: master

### Vulnerability Details

Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors.

Publish Date: 2016-06-07

URL: CVE-2016-3093

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-3093

Release Date: 2016-06-07

Fix Resolution (ognl:ognl): 3.0.12

Direct dependency fix Resolution (org.apache.struts:struts2-core): 2.3.28

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2016-4465

### Vulnerable Libraries - xwork-core-2.3.24.3.jar, struts2-core-2.3.24.3.jar

### xwork-core-2.3.24.3.jar

Apache Struts 2

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.24.3/xwork-core-2.3.24.3.jar

Dependency Hierarchy: - struts2-core-2.3.24.3.jar (Root Library) - :x: **xwork-core-2.3.24.3.jar** (Vulnerable Library) ### struts2-core-2.3.24.3.jar

Apache Struts 2

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.24.3/struts2-core-2.3.24.3.jar

Dependency Hierarchy: - :x: **struts2-core-2.3.24.3.jar** (Vulnerable Library)

Found in HEAD commit: 387611ba69708e64c4617199869cd6109736954c

Found in base branch: master

### Vulnerability Details

The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field.

Publish Date: 2016-07-04

URL: CVE-2016-4465

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2016-07-04

Fix Resolution (org.apache.struts.xwork:xwork-core): 2.3.29

Direct dependency fix Resolution (org.apache.struts:struts2-core): 2.3.29

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

momo-tong / struts2-core-2.3.24.3

struts2-core-2.3.24.3.jar: 27 vulnerabilities (highest severity is: 10.0) - autoclosed #3

Vulnerabilities

Details