*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Partial details (25 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.
Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-31805
### Vulnerable Library - struts2-core-2.3.24.3.jar
The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-17530
### Vulnerable Library - struts2-core-2.3.24.3.jar
Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2019-0230
### Vulnerable Library - struts2-core-2.3.24.3.jar
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2017-5638
### Vulnerable Library - struts2-core-2.3.24.3.jar
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
### Suggested Fix
Type: Upgrade version
Release Date: 2017-03-11
Fix Resolution: 2.3.32
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2017-12611
### Vulnerable Library - struts2-core-2.3.24.3.jar
In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2016-6795
### Vulnerable Library - struts2-core-2.3.24.3.jar
In the Convention plugin in Apache Struts 2.3.x before 2.3.31, and 2.5.x before 2.5.5, it is possible to prepare a special URL which will be used for path traversal and execution of arbitrary code on server side.
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
### Suggested Fix
Type: Upgrade version
Release Date: 2017-09-20
Fix Resolution: 2.3.31
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2016-4436
### Vulnerable Library - struts2-core-2.3.24.3.jar
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
### Suggested Fix
Type: Upgrade version
Release Date: 2016-10-03
Fix Resolution: 2.3.29
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2016-4461
### Vulnerable Library - xwork-core-2.3.24.3.jar
Apache Struts 2.x before 2.3.29 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0785.
Direct dependency fix Resolution (org.apache.struts:struts2-core): 2.3.29
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2016-4430
### Vulnerable Library - struts2-core-2.3.24.3.jar
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2016-0785
### Vulnerable Library - xwork-core-2.3.24.3.jar
Apache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation.
Direct dependency fix Resolution (org.apache.struts:struts2-core): 2.3.28
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2018-11776
### Vulnerable Library - struts2-core-2.3.24.3.jar
Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
WS-2014-0034
### Vulnerable Library - commons-fileupload-1.3.1.jar
The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart
file upload functionality to servlets and web applications.
Direct dependency fix Resolution (org.apache.struts:struts2-core): 2.3.37
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-47554
### Vulnerable Library - commons-io-2.2.jar
The Commons IO library contains utility classes, stream implementations, file filters,
file comparators, endian transformation classes, and much more.
Uncontrolled Resource Consumption vulnerability in Apache Commons IO.
The org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input.
This issue affects Apache Commons IO: from 2.0 before 2.14.0.
Users are recommended to upgrade to version 2.14.0 or later, which fixes the issue.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-41835
### Vulnerable Library - struts2-core-2.3.24.3.jar
When a Multipart request is performed but some of the fields exceed the maxStringLength limit, the upload files will remain in struts.multipart.saveDir even if the request has been denied.
Users are recommended to upgrade to versions Struts 2.5.32 or 6.1.2.2 or Struts 6.3.0.1 or greater, which fixe this issue.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-24998
### Vulnerable Library - commons-fileupload-1.3.1.jar
The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart
file upload functionality to servlets and web applications.
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.
Note that, like all of the file upload limits, the
new configuration option (FileUploadBase#setFileCountMax) is not
enabled by default and must be explicitly configured.
Direct dependency fix Resolution (org.apache.struts:struts2-core): 6.1.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2019-0233
### Vulnerable Library - struts2-core-2.3.24.3.jar
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2017-9804
### Vulnerable Libraries - xwork-core-2.3.24.3.jar, struts2-core-2.3.24.3.jar
In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. NOTE: this vulnerability exists because of an incomplete fix for S2-047 / CVE-2017-7672.
Direct dependency fix Resolution (org.apache.struts:struts2-core): 2.3.34
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2017-9787
### Vulnerable Libraries - struts2-core-2.3.24.3.jar, xwork-core-2.3.24.3.jar
When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack. Solution is to upgrade to Apache Struts version 2.5.12 or 2.3.33.
Direct dependency fix Resolution (org.apache.struts:struts2-core): 2.3.33
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2016-4433
### Vulnerable Libraries - struts2-core-2.3.24.3.jar, xwork-core-2.3.24.3.jar
Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request.
Direct dependency fix Resolution (org.apache.struts:struts2-core): 2.3.29
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2016-4431
### Vulnerable Library - struts2-core-2.3.24.3.jar
Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks by leveraging a default method.
For more information on CVSS3 Scores, click here.
### Suggested Fix
Type: Upgrade version
Release Date: 2016-07-04
Fix Resolution: 2.3.29
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2016-3092
### Vulnerable Library - commons-fileupload-1.3.1.jar
The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart
file upload functionality to servlets and web applications.
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
Direct dependency fix Resolution (org.apache.struts:struts2-core): 2.3.30
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2016-1000031
### Vulnerable Library - commons-fileupload-1.3.1.jar
The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart
file upload functionality to servlets and web applications.
Direct dependency fix Resolution (org.apache.struts:struts2-core): 2.3.37
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2016-4003
### Vulnerable Library - struts2-core-2.3.24.3.jar
Cross-site scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via multi-byte characters in a url-encoded parameter.
For more information on CVSS3 Scores, click here.
### Suggested Fix
Type: Upgrade version
Release Date: 2016-04-12
Fix Resolution: 2.3.28
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2016-2162
### Vulnerable Library - xwork-core-2.3.24.3.jar
Apache Struts 2.x before 2.3.25 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors involving language display.
Apache Struts 2
Library home page: http://www.apache.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.24.3/struts2-core-2.3.24.3.jar
Found in HEAD commit: a00e29a7e34847575b65778e8d61c81a0f3c31fe
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-50164
### Vulnerable Library - struts2-core-2.3.24.3.jarApache Struts 2
Library home page: http://www.apache.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.24.3/struts2-core-2.3.24.3.jar
Dependency Hierarchy: - :x: **struts2-core-2.3.24.3.jar** (Vulnerable Library)
Found in HEAD commit: a00e29a7e34847575b65778e8d61c81a0f3c31fe
Found in base branch: master
### Vulnerability DetailsAn attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue.
Publish Date: 2023-12-07
URL: CVE-2023-50164
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://lists.apache.org/thread/yh09b3fkf6vz5d6jdgrlvmg60lfwtqhj
Release Date: 2023-12-07
Fix Resolution: 2.5.33
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-31805
### Vulnerable Library - struts2-core-2.3.24.3.jarApache Struts 2
Library home page: http://www.apache.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.24.3/struts2-core-2.3.24.3.jar
Dependency Hierarchy: - :x: **struts2-core-2.3.24.3.jar** (Vulnerable Library)
Found in HEAD commit: a00e29a7e34847575b65778e8d61c81a0f3c31fe
Found in base branch: master
### Vulnerability DetailsThe fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.
Publish Date: 2022-04-12
URL: CVE-2021-31805
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cwiki.apache.org/confluence/display/WW/S2-062
Release Date: 2022-04-12
Fix Resolution: 2.3.28
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2020-17530
### Vulnerable Library - struts2-core-2.3.24.3.jarApache Struts 2
Library home page: http://www.apache.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.24.3/struts2-core-2.3.24.3.jar
Dependency Hierarchy: - :x: **struts2-core-2.3.24.3.jar** (Vulnerable Library)
Found in HEAD commit: a00e29a7e34847575b65778e8d61c81a0f3c31fe
Found in base branch: master
### Vulnerability DetailsForced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.
Publish Date: 2020-12-11
URL: CVE-2020-17530
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cwiki.apache.org/confluence/display/WW/S2-061
Release Date: 2020-12-11
Fix Resolution: 2.5.26
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2019-0230
### Vulnerable Library - struts2-core-2.3.24.3.jarApache Struts 2
Library home page: http://www.apache.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.24.3/struts2-core-2.3.24.3.jar
Dependency Hierarchy: - :x: **struts2-core-2.3.24.3.jar** (Vulnerable Library)
Found in HEAD commit: a00e29a7e34847575b65778e8d61c81a0f3c31fe
Found in base branch: master
### Vulnerability DetailsApache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
Publish Date: 2020-09-14
URL: CVE-2019-0230
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cwiki.apache.org/confluence/display/ww/s2-059
Release Date: 2020-09-14
Fix Resolution: 2.5.22
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2017-5638
### Vulnerable Library - struts2-core-2.3.24.3.jarApache Struts 2
Library home page: http://www.apache.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.24.3/struts2-core-2.3.24.3.jar
Dependency Hierarchy: - :x: **struts2-core-2.3.24.3.jar** (Vulnerable Library)
Found in HEAD commit: a00e29a7e34847575b65778e8d61c81a0f3c31fe
Found in base branch: master
### Vulnerability DetailsThe Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.
Publish Date: 2017-03-11
URL: CVE-2017-5638
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2017-03-11
Fix Resolution: 2.3.32
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2017-12611
### Vulnerable Library - struts2-core-2.3.24.3.jarApache Struts 2
Library home page: http://www.apache.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.24.3/struts2-core-2.3.24.3.jar
Dependency Hierarchy: - :x: **struts2-core-2.3.24.3.jar** (Vulnerable Library)
Found in HEAD commit: a00e29a7e34847575b65778e8d61c81a0f3c31fe
Found in base branch: master
### Vulnerability DetailsIn Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack.
Publish Date: 2017-09-20
URL: CVE-2017-12611
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cwiki.apache.org/confluence/display/WW/S2-053
Release Date: 2017-09-20
Fix Resolution: 2.3.34
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2016-6795
### Vulnerable Library - struts2-core-2.3.24.3.jarApache Struts 2
Library home page: http://www.apache.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.24.3/struts2-core-2.3.24.3.jar
Dependency Hierarchy: - :x: **struts2-core-2.3.24.3.jar** (Vulnerable Library)
Found in HEAD commit: a00e29a7e34847575b65778e8d61c81a0f3c31fe
Found in base branch: master
### Vulnerability DetailsIn the Convention plugin in Apache Struts 2.3.x before 2.3.31, and 2.5.x before 2.5.5, it is possible to prepare a special URL which will be used for path traversal and execution of arbitrary code on server side.
Publish Date: 2017-09-20
URL: CVE-2016-6795
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2017-09-20
Fix Resolution: 2.3.31
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2016-4436
### Vulnerable Library - struts2-core-2.3.24.3.jarApache Struts 2
Library home page: http://www.apache.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.24.3/struts2-core-2.3.24.3.jar
Dependency Hierarchy: - :x: **struts2-core-2.3.24.3.jar** (Vulnerable Library)
Found in HEAD commit: a00e29a7e34847575b65778e8d61c81a0f3c31fe
Found in base branch: master
### Vulnerability DetailsApache Struts 2 before 2.3.29 and 2.5.x before 2.5.1 allow attackers to have unspecified impact via vectors related to improper action name clean up.
Publish Date: 2016-10-03
URL: CVE-2016-4436
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2016-10-03
Fix Resolution: 2.3.29
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2016-4461
### Vulnerable Library - xwork-core-2.3.24.3.jarApache Struts 2
Library home page: http://www.apache.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.24.3/xwork-core-2.3.24.3.jar
Dependency Hierarchy: - struts2-core-2.3.24.3.jar (Root Library) - :x: **xwork-core-2.3.24.3.jar** (Vulnerable Library)
Found in HEAD commit: a00e29a7e34847575b65778e8d61c81a0f3c31fe
Found in base branch: master
### Vulnerability DetailsApache Struts 2.x before 2.3.29 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0785.
Publish Date: 2017-10-16
URL: CVE-2016-4461
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2017-10-16
Fix Resolution (org.apache.struts.xwork:xwork-core): 2.3.29
Direct dependency fix Resolution (org.apache.struts:struts2-core): 2.3.29
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2016-4430
### Vulnerable Library - struts2-core-2.3.24.3.jarApache Struts 2
Library home page: http://www.apache.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.24.3/struts2-core-2.3.24.3.jar
Dependency Hierarchy: - :x: **struts2-core-2.3.24.3.jar** (Vulnerable Library)
Found in HEAD commit: a00e29a7e34847575b65778e8d61c81a0f3c31fe
Found in base branch: master
### Vulnerability DetailsApache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors.
Publish Date: 2016-07-04
URL: CVE-2016-4430
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4430
Release Date: 2016-07-04
Fix Resolution: 2.3.29
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2016-0785
### Vulnerable Library - xwork-core-2.3.24.3.jarApache Struts 2
Library home page: http://www.apache.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.24.3/xwork-core-2.3.24.3.jar
Dependency Hierarchy: - struts2-core-2.3.24.3.jar (Root Library) - :x: **xwork-core-2.3.24.3.jar** (Vulnerable Library)
Found in HEAD commit: a00e29a7e34847575b65778e8d61c81a0f3c31fe
Found in base branch: master
### Vulnerability DetailsApache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation.
Publish Date: 2016-04-12
URL: CVE-2016-0785
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2016-04-12
Fix Resolution (org.apache.struts.xwork:xwork-core): 2.3.28
Direct dependency fix Resolution (org.apache.struts:struts2-core): 2.3.28
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2018-11776
### Vulnerable Library - struts2-core-2.3.24.3.jarApache Struts 2
Library home page: http://www.apache.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.24.3/struts2-core-2.3.24.3.jar
Dependency Hierarchy: - :x: **struts2-core-2.3.24.3.jar** (Vulnerable Library)
Found in HEAD commit: a00e29a7e34847575b65778e8d61c81a0f3c31fe
Found in base branch: master
### Vulnerability DetailsApache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace.
Publish Date: 2018-08-22
URL: CVE-2018-11776
### CVSS 3 Score Details (8.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-11776
Release Date: 2018-08-22
Fix Resolution: 2.3.35
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
WS-2014-0034
### Vulnerable Library - commons-fileupload-1.3.1.jarThe Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Library home page: http://www.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.3.1/commons-fileupload-1.3.1.jar
Dependency Hierarchy: - struts2-core-2.3.24.3.jar (Root Library) - :x: **commons-fileupload-1.3.1.jar** (Vulnerable Library)
Found in HEAD commit: a00e29a7e34847575b65778e8d61c81a0f3c31fe
Found in base branch: master
### Vulnerability DetailsThe class FileUploadBase in Apache Commons Fileupload before 1.4 has potential resource leak - InputStream not closed on exception.
Publish Date: 2014-02-17
URL: WS-2014-0034
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2014-02-17
Fix Resolution (commons-fileupload:commons-fileupload): 1.4
Direct dependency fix Resolution (org.apache.struts:struts2-core): 2.3.37
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-47554
### Vulnerable Library - commons-io-2.2.jarThe Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.
Library home page: http://www.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-io/commons-io/2.2/commons-io-2.2.jar
Dependency Hierarchy: - struts2-core-2.3.24.3.jar (Root Library) - commons-fileupload-1.3.1.jar - :x: **commons-io-2.2.jar** (Vulnerable Library)
Found in HEAD commit: a00e29a7e34847575b65778e8d61c81a0f3c31fe
Found in base branch: master
### Vulnerability DetailsUncontrolled Resource Consumption vulnerability in Apache Commons IO. The org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input. This issue affects Apache Commons IO: from 2.0 before 2.14.0. Users are recommended to upgrade to version 2.14.0 or later, which fixes the issue.
Publish Date: 2024-10-03
URL: CVE-2024-47554
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1
Release Date: 2024-10-03
Fix Resolution: commons-io:commons-io:2.14.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-41835
### Vulnerable Library - struts2-core-2.3.24.3.jarApache Struts 2
Library home page: http://www.apache.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.24.3/struts2-core-2.3.24.3.jar
Dependency Hierarchy: - :x: **struts2-core-2.3.24.3.jar** (Vulnerable Library)
Found in HEAD commit: a00e29a7e34847575b65778e8d61c81a0f3c31fe
Found in base branch: master
### Vulnerability DetailsWhen a Multipart request is performed but some of the fields exceed the maxStringLength limit, the upload files will remain in struts.multipart.saveDir even if the request has been denied. Users are recommended to upgrade to versions Struts 2.5.32 or 6.1.2.2 or Struts 6.3.0.1 or greater, which fixe this issue.
Publish Date: 2023-12-05
URL: CVE-2023-41835
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-41835
Release Date: 2023-12-05
Fix Resolution: 2.5.32
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-24998
### Vulnerable Library - commons-fileupload-1.3.1.jarThe Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Library home page: http://www.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.3.1/commons-fileupload-1.3.1.jar
Dependency Hierarchy: - struts2-core-2.3.24.3.jar (Root Library) - :x: **commons-fileupload-1.3.1.jar** (Vulnerable Library)
Found in HEAD commit: a00e29a7e34847575b65778e8d61c81a0f3c31fe
Found in base branch: master
### Vulnerability DetailsApache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.
Publish Date: 2023-02-20
URL: CVE-2023-24998
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://tomcat.apache.org/security-10.html
Release Date: 2023-02-20
Fix Resolution (commons-fileupload:commons-fileupload): 1.5
Direct dependency fix Resolution (org.apache.struts:struts2-core): 6.1.2
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2019-0233
### Vulnerable Library - struts2-core-2.3.24.3.jarApache Struts 2
Library home page: http://www.apache.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.24.3/struts2-core-2.3.24.3.jar
Dependency Hierarchy: - :x: **struts2-core-2.3.24.3.jar** (Vulnerable Library)
Found in HEAD commit: a00e29a7e34847575b65778e8d61c81a0f3c31fe
Found in base branch: master
### Vulnerability DetailsAn access permission override in Apache Struts 2.0.0 to 2.5.20 may cause a Denial of Service when performing a file upload.
Publish Date: 2020-09-14
URL: CVE-2019-0233
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cwiki.apache.org/confluence/display/ww/s2-060
Release Date: 2020-09-14
Fix Resolution: 2.5.22
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2017-9804
### Vulnerable Libraries - xwork-core-2.3.24.3.jar, struts2-core-2.3.24.3.jar### xwork-core-2.3.24.3.jar
Apache Struts 2
Library home page: http://www.apache.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.24.3/xwork-core-2.3.24.3.jar
Dependency Hierarchy: - struts2-core-2.3.24.3.jar (Root Library) - :x: **xwork-core-2.3.24.3.jar** (Vulnerable Library) ### struts2-core-2.3.24.3.jar
Apache Struts 2
Library home page: http://www.apache.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.24.3/struts2-core-2.3.24.3.jar
Dependency Hierarchy: - :x: **struts2-core-2.3.24.3.jar** (Vulnerable Library)
Found in HEAD commit: a00e29a7e34847575b65778e8d61c81a0f3c31fe
Found in base branch: master
### Vulnerability DetailsIn Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. NOTE: this vulnerability exists because of an incomplete fix for S2-047 / CVE-2017-7672.
Publish Date: 2017-09-20
URL: CVE-2017-9804
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2017-09-20
Fix Resolution (org.apache.struts.xwork:xwork-core): 2.3.34
Direct dependency fix Resolution (org.apache.struts:struts2-core): 2.3.34
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2017-9787
### Vulnerable Libraries - struts2-core-2.3.24.3.jar, xwork-core-2.3.24.3.jar### struts2-core-2.3.24.3.jar
Apache Struts 2
Library home page: http://www.apache.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.24.3/struts2-core-2.3.24.3.jar
Dependency Hierarchy: - :x: **struts2-core-2.3.24.3.jar** (Vulnerable Library) ### xwork-core-2.3.24.3.jar
Apache Struts 2
Library home page: http://www.apache.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.24.3/xwork-core-2.3.24.3.jar
Dependency Hierarchy: - struts2-core-2.3.24.3.jar (Root Library) - :x: **xwork-core-2.3.24.3.jar** (Vulnerable Library)
Found in HEAD commit: a00e29a7e34847575b65778e8d61c81a0f3c31fe
Found in base branch: master
### Vulnerability DetailsWhen using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack. Solution is to upgrade to Apache Struts version 2.5.12 or 2.3.33.
Publish Date: 2017-07-13
URL: CVE-2017-9787
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2017-07-13
Fix Resolution (org.apache.struts.xwork:xwork-core): 2.3.33
Direct dependency fix Resolution (org.apache.struts:struts2-core): 2.3.33
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2016-4433
### Vulnerable Libraries - struts2-core-2.3.24.3.jar, xwork-core-2.3.24.3.jar### struts2-core-2.3.24.3.jar
Apache Struts 2
Library home page: http://www.apache.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.24.3/struts2-core-2.3.24.3.jar
Dependency Hierarchy: - :x: **struts2-core-2.3.24.3.jar** (Vulnerable Library) ### xwork-core-2.3.24.3.jar
Apache Struts 2
Library home page: http://www.apache.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.24.3/xwork-core-2.3.24.3.jar
Dependency Hierarchy: - struts2-core-2.3.24.3.jar (Root Library) - :x: **xwork-core-2.3.24.3.jar** (Vulnerable Library)
Found in HEAD commit: a00e29a7e34847575b65778e8d61c81a0f3c31fe
Found in base branch: master
### Vulnerability DetailsApache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request.
Publish Date: 2016-07-04
URL: CVE-2016-4433
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2016-07-04
Fix Resolution (org.apache.struts.xwork:xwork-core): 2.3.29
Direct dependency fix Resolution (org.apache.struts:struts2-core): 2.3.29
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2016-4431
### Vulnerable Library - struts2-core-2.3.24.3.jarApache Struts 2
Library home page: http://www.apache.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.24.3/struts2-core-2.3.24.3.jar
Dependency Hierarchy: - :x: **struts2-core-2.3.24.3.jar** (Vulnerable Library)
Found in HEAD commit: a00e29a7e34847575b65778e8d61c81a0f3c31fe
Found in base branch: master
### Vulnerability DetailsApache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks by leveraging a default method.
Publish Date: 2016-07-04
URL: CVE-2016-4431
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2016-07-04
Fix Resolution: 2.3.29
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2016-3092
### Vulnerable Library - commons-fileupload-1.3.1.jarThe Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Library home page: http://www.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.3.1/commons-fileupload-1.3.1.jar
Dependency Hierarchy: - struts2-core-2.3.24.3.jar (Root Library) - :x: **commons-fileupload-1.3.1.jar** (Vulnerable Library)
Found in HEAD commit: a00e29a7e34847575b65778e8d61c81a0f3c31fe
Found in base branch: master
### Vulnerability DetailsThe MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
Publish Date: 2016-07-04
URL: CVE-2016-3092
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092
Release Date: 2016-07-04
Fix Resolution (commons-fileupload:commons-fileupload): 1.3.2
Direct dependency fix Resolution (org.apache.struts:struts2-core): 2.3.30
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2016-1000031
### Vulnerable Library - commons-fileupload-1.3.1.jarThe Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Library home page: http://www.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.3.1/commons-fileupload-1.3.1.jar
Dependency Hierarchy: - struts2-core-2.3.24.3.jar (Root Library) - :x: **commons-fileupload-1.3.1.jar** (Vulnerable Library)
Found in HEAD commit: a00e29a7e34847575b65778e8d61c81a0f3c31fe
Found in base branch: master
### Vulnerability DetailsApache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution
Publish Date: 2016-10-25
URL: CVE-2016-1000031
### CVSS 3 Score Details (7.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031
Release Date: 2016-10-25
Fix Resolution (commons-fileupload:commons-fileupload): 1.3.3
Direct dependency fix Resolution (org.apache.struts:struts2-core): 2.3.37
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2016-4003
### Vulnerable Library - struts2-core-2.3.24.3.jarApache Struts 2
Library home page: http://www.apache.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.24.3/struts2-core-2.3.24.3.jar
Dependency Hierarchy: - :x: **struts2-core-2.3.24.3.jar** (Vulnerable Library)
Found in HEAD commit: a00e29a7e34847575b65778e8d61c81a0f3c31fe
Found in base branch: master
### Vulnerability DetailsCross-site scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via multi-byte characters in a url-encoded parameter.
Publish Date: 2016-04-12
URL: CVE-2016-4003
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2016-04-12
Fix Resolution: 2.3.28
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2016-2162
### Vulnerable Library - xwork-core-2.3.24.3.jarApache Struts 2
Library home page: http://www.apache.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.24.3/xwork-core-2.3.24.3.jar
Dependency Hierarchy: - struts2-core-2.3.24.3.jar (Root Library) - :x: **xwork-core-2.3.24.3.jar** (Vulnerable Library)
Found in HEAD commit: a00e29a7e34847575b65778e8d61c81a0f3c31fe
Found in base branch: master
### Vulnerability DetailsApache Struts 2.x before 2.3.25 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors involving language display.
Publish Date: 2016-04-12
URL: CVE-2016-2162
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2016-04-12
Fix Resolution (org.apache.struts.xwork:xwork-core): 2.3.28
Direct dependency fix Resolution (org.apache.struts:struts2-core): 2.3.28
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)