Path to dependency file: /todolist-goof/todolist-web-struts/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.20/xwork-core-2.3.20.jar,/todolist-goof/todolist-web-struts/target/todolist/WEB-INF/lib/xwork-core-2.3.20.jar
Path to dependency file: /todolist-goof/todolist-web-struts/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.20/xwork-core-2.3.20.jar,/todolist-goof/todolist-web-struts/target/todolist/WEB-INF/lib/xwork-core-2.3.20.jar
Apache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation.
Path to dependency file: /todolist-goof/todolist-web-struts/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.20/xwork-core-2.3.20.jar,/todolist-goof/todolist-web-struts/target/todolist/WEB-INF/lib/xwork-core-2.3.20.jar
Apache Struts 2.x before 2.3.29 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0785.
Path to dependency file: /todolist-goof/todolist-web-struts/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.20/xwork-core-2.3.20.jar,/todolist-goof/todolist-web-struts/target/todolist/WEB-INF/lib/xwork-core-2.3.20.jar
Apache Struts 2.x before 2.3.24.1 allows remote attackers to manipulate Struts internals, alter user sessions, or affect container settings via vectors involving a top object.
Path to dependency file: /todolist-goof/todolist-web-struts/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.20/xwork-core-2.3.20.jar,/todolist-goof/todolist-web-struts/target/todolist/WEB-INF/lib/xwork-core-2.3.20.jar
When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack. Solution is to upgrade to Apache Struts version 2.5.12 or 2.3.33.
Path to dependency file: /todolist-goof/todolist-web-struts/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.20/xwork-core-2.3.20.jar,/todolist-goof/todolist-web-struts/target/todolist/WEB-INF/lib/xwork-core-2.3.20.jar
Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request.
Path to dependency file: /todolist-goof/todolist-web-struts/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.20/xwork-core-2.3.20.jar,/todolist-goof/todolist-web-struts/target/todolist/WEB-INF/lib/xwork-core-2.3.20.jar
In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. NOTE: this vulnerability exists because of an incomplete fix for S2-047 / CVE-2017-7672.
Path to dependency file: /todolist-goof/todolist-web-struts/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.20/xwork-core-2.3.20.jar,/todolist-goof/todolist-web-struts/target/todolist/WEB-INF/lib/xwork-core-2.3.20.jar
Apache Struts 2.x before 2.3.25 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors involving language display.
Path to dependency file: /todolist-goof/todolist-web-struts/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.20/xwork-core-2.3.20.jar,/todolist-goof/todolist-web-struts/target/todolist/WEB-INF/lib/xwork-core-2.3.20.jar
The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field.
Path to dependency file: /todolist-goof/todolist-web-struts/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.20/xwork-core-2.3.20.jar,/todolist-goof/todolist-web-struts/target/todolist/WEB-INF/lib/xwork-core-2.3.20.jar
The default exclude patterns (excludeParams) in Apache Struts 2.3.20 allow remote attackers to "compromise internal state of an application" via unspecified vectors.
Apache Struts 2
Library home page: http://struts.apache.org/
Path to dependency file: /todolist-goof/todolist-web-struts/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.20/xwork-core-2.3.20.jar,/todolist-goof/todolist-web-struts/target/todolist/WEB-INF/lib/xwork-core-2.3.20.jar
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2016-0785
### Vulnerable Library - xwork-core-2.3.20.jarApache Struts 2
Library home page: http://struts.apache.org/
Path to dependency file: /todolist-goof/todolist-web-struts/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.20/xwork-core-2.3.20.jar,/todolist-goof/todolist-web-struts/target/todolist/WEB-INF/lib/xwork-core-2.3.20.jar
Dependency Hierarchy: - :x: **xwork-core-2.3.20.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsApache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation.
Publish Date: 2016-04-12
URL: CVE-2016-0785
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2016-04-12
Fix Resolution: 2.3.28
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2016-4461
### Vulnerable Library - xwork-core-2.3.20.jarApache Struts 2
Library home page: http://struts.apache.org/
Path to dependency file: /todolist-goof/todolist-web-struts/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.20/xwork-core-2.3.20.jar,/todolist-goof/todolist-web-struts/target/todolist/WEB-INF/lib/xwork-core-2.3.20.jar
Dependency Hierarchy: - :x: **xwork-core-2.3.20.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsApache Struts 2.x before 2.3.29 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0785.
Publish Date: 2017-10-16
URL: CVE-2016-4461
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2017-10-16
Fix Resolution: 2.3.29
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2015-5209
### Vulnerable Library - xwork-core-2.3.20.jarApache Struts 2
Library home page: http://struts.apache.org/
Path to dependency file: /todolist-goof/todolist-web-struts/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.20/xwork-core-2.3.20.jar,/todolist-goof/todolist-web-struts/target/todolist/WEB-INF/lib/xwork-core-2.3.20.jar
Dependency Hierarchy: - :x: **xwork-core-2.3.20.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsApache Struts 2.x before 2.3.24.1 allows remote attackers to manipulate Struts internals, alter user sessions, or affect container settings via vectors involving a top object.
Publish Date: 2017-08-29
URL: CVE-2015-5209
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-5209
Release Date: 2017-08-29
Fix Resolution: 2.3.24.1
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2017-9787
### Vulnerable Library - xwork-core-2.3.20.jarApache Struts 2
Library home page: http://struts.apache.org/
Path to dependency file: /todolist-goof/todolist-web-struts/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.20/xwork-core-2.3.20.jar,/todolist-goof/todolist-web-struts/target/todolist/WEB-INF/lib/xwork-core-2.3.20.jar
Dependency Hierarchy: - :x: **xwork-core-2.3.20.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsWhen using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack. Solution is to upgrade to Apache Struts version 2.5.12 or 2.3.33.
Publish Date: 2017-07-13
URL: CVE-2017-9787
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2017-07-13
Fix Resolution: 2.3.33
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2016-4433
### Vulnerable Library - xwork-core-2.3.20.jarApache Struts 2
Library home page: http://struts.apache.org/
Path to dependency file: /todolist-goof/todolist-web-struts/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.20/xwork-core-2.3.20.jar,/todolist-goof/todolist-web-struts/target/todolist/WEB-INF/lib/xwork-core-2.3.20.jar
Dependency Hierarchy: - :x: **xwork-core-2.3.20.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsApache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request.
Publish Date: 2016-07-04
URL: CVE-2016-4433
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2016-07-04
Fix Resolution: 2.3.28.1
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2017-9804
### Vulnerable Library - xwork-core-2.3.20.jarApache Struts 2
Library home page: http://struts.apache.org/
Path to dependency file: /todolist-goof/todolist-web-struts/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.20/xwork-core-2.3.20.jar,/todolist-goof/todolist-web-struts/target/todolist/WEB-INF/lib/xwork-core-2.3.20.jar
Dependency Hierarchy: - :x: **xwork-core-2.3.20.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsIn Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. NOTE: this vulnerability exists because of an incomplete fix for S2-047 / CVE-2017-7672.
Publish Date: 2017-09-20
URL: CVE-2017-9804
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2017-09-05
Fix Resolution: 2.3.34
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2016-2162
### Vulnerable Library - xwork-core-2.3.20.jarApache Struts 2
Library home page: http://struts.apache.org/
Path to dependency file: /todolist-goof/todolist-web-struts/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.20/xwork-core-2.3.20.jar,/todolist-goof/todolist-web-struts/target/todolist/WEB-INF/lib/xwork-core-2.3.20.jar
Dependency Hierarchy: - :x: **xwork-core-2.3.20.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsApache Struts 2.x before 2.3.25 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors involving language display.
Publish Date: 2016-04-12
URL: CVE-2016-2162
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2016-04-12
Fix Resolution: 2.3.28
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2016-4465
### Vulnerable Library - xwork-core-2.3.20.jarApache Struts 2
Library home page: http://struts.apache.org/
Path to dependency file: /todolist-goof/todolist-web-struts/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.20/xwork-core-2.3.20.jar,/todolist-goof/todolist-web-struts/target/todolist/WEB-INF/lib/xwork-core-2.3.20.jar
Dependency Hierarchy: - :x: **xwork-core-2.3.20.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsThe URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field.
Publish Date: 2016-07-04
URL: CVE-2016-4465
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2016-07-04
Fix Resolution: 2.3.29
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2015-1831
### Vulnerable Library - xwork-core-2.3.20.jarApache Struts 2
Library home page: http://struts.apache.org/
Path to dependency file: /todolist-goof/todolist-web-struts/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.20/xwork-core-2.3.20.jar,/todolist-goof/todolist-web-struts/target/todolist/WEB-INF/lib/xwork-core-2.3.20.jar
Dependency Hierarchy: - :x: **xwork-core-2.3.20.jar** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsThe default exclude patterns (excludeParams) in Apache Struts 2.3.20 allow remote attackers to "compromise internal state of an application" via unspecified vectors.
Publish Date: 2015-07-16
URL: CVE-2015-1831
### CVSS 3 Score Details (4.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-1831
Release Date: 2015-07-16
Fix Resolution: 2.3.20.1
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.