| Struts | Number Of NVD | 84 | CRITICAL | 15 | HIGH | 34 | MEDIUM | 34 | LOW | 1 |
| URL | https://struts.apache.org | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Explanation | It is an MVC framework for web applications for Java developed by the Apache Software Foundation. It is open source and can be used free of charge. It has been found several times to have highly urgent vulnerabilities such as the ability to execute commands remotely, and incidents such as information leaks have occurred by exploiting these vulnerabilities. The development of Struts1 started in early 2000, and quite a number of companies have been using it. Struts1 is no longer supported. |
||||||||
| Tag | |||||||||
| No | Type | Name | URL |
|---|---|---|---|
| 1 | https://struts.apache.org/struts1eol-announcement.html | ||
| 2 | https://struts.apache.org/download.cgi | ||
| 3 | https://struts.apache.org/releases.html | ||
| 4 | https://github.com/apache/struts1 | ||
| 5 | https://github.com/apache/struts | ||
| 6 | https://cwiki.apache.org/confluence/display/WW/Security+Bulletins | ||
| 7 | https://struts.apache.org/struts23-eol-announcement |
| No | Name | Latest Version | Release date | Initial release | Normal Support | Security Support Service Pack Support |
Extended for a fee |
Critical | High | Medium | Low |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 21 | Struts 6 | 6.7.0 | Nov. 17, 2024 | June 6, 2022 | 1 | 1 | 1 | 0 | |||
| 22 | Struts 2.5 | 2.5.33 | April 4, 2022 | May 5, 2016 | Oct. 30, 2023 | April 30, 2024 | 7 | 9 | 5 | 0 | |
| 23 | Struts 2.3 | 2.3.37 | Dec. 30, 2018 | Dec. 9, 2011 | Nov. 14, 2018 | April 14, 2019 | 14 | 26 | 19 | 0 | |
| 24 | Struts 2.2 | 2.2.3.1 | Sept. 7, 2011 | June 29, 2010 | Dec. 18, 2011 | 10 | 21 | 20 | 1 | ||
| 25 | Struts 2.1 | 2.1.8.1 | Nov. 11, 2009 | Oct. 29, 2007 | Dec. 18, 2011 | 9 | 21 | 21 | 1 | ||
| 26 | Struts 2.0 | 2.0.15 | Nov. 17, 2008 | Sept. 25, 2006 | Dec. 18, 2011 | 9 | 20 | 23 | 1 | ||
| 27 | Struts 1 | 1.3.10 | Dec. 7, 2014 | May 1, 2000 | April 5, 2013 | 0 | 7 | 5 | 0 |
| No | CVSS3 CVSS2 |
Level Attach Vector |
Title | CWE | CVE | cpe23Uri | or higher | or less | more than | less than | Update date Published date |
Show Affected | Exploit PoC Search |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 21 |
5.9 4.3 |
MEDIUM
Network |
In Apache Struts 2.5 through 2.5.5, if an application allows entering a URL in a form field and the built-in URLValidator is used, it is possible to prepare a special URL which will be used to overlo… |
CWE-20
Improper Input Validation |
CVE-2016-8738 |
cpe:2.3:a:apache:struts:2.5:* cpe:2.3:a:apache:struts:2.5.5:* cpe:2.3:a:apache:struts:2.5.4:* cpe:2.3:a:apache… |
2024-11-21 11:59 2017-09-21 |
Show | GitHub Exploit DB Packet Storm | ||||
| 22 |
9.8 7.5 |
CRITICAL
Network |
In the Convention plugin in Apache Struts 2.3.x before 2.3.31, and 2.5.x before 2.5.5, it is possible to prepare a special URL which will be used for path traversal and execution of arbitrary code on… |
CWE-22
Path Traversal |
CVE-2016-6795 |
cpe:2.3:a:apache:struts:2.3.30:* cpe:2.3:a:apache:struts:2.3.29:* cpe:2.3:a:apache:struts:2.3.28:* cpe:2.3:a:a… |
2024-11-21 11:56 2017-09-21 |
Show | GitHub Exploit DB Packet Storm | ||||
| 23 |
8.1 6.8 |
HIGH
Network |
The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can… |
CWE-502
Deserialization of Untrusted Data |
CVE-2017-9805 | cpe:2.3:a:apache:struts:*:* |
2.1.2 2.5.0 |
|
|
2.3.34 2.5.13 |
2026-04-22 01:55 2017-09-16 |
Show | GitHub Exploit DB Packet Storm |
| 24 |
7.5 5.0 |
HIGH
Network |
Apache Struts 2.x before 2.3.24.1 allows remote attackers to manipulate Struts internals, alter user sessions, or affect container settings via vectors involving a top object. |
CWE-20
Improper Input Validation |
CVE-2015-5209 |
cpe:2.3:a:apache:struts:2.3.9:* cpe:2.3:a:apache:struts:2.3.8:* cpe:2.3:a:apache:struts:2.3.7:* cpe:2.3:a:apac… |
2024-11-21 11:32 2017-08-30 |
Show | GitHub Exploit DB Packet Storm | ||||
| 25 |
7.5 5.0 |
HIGH
Network |
When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack. Solution is to upgrade to Apache Struts version 2.5.12 or 2.3.33. |
NVD-CWE-noinfo
|
CVE-2017-9787 |
cpe:2.3:a:apache:struts:2.5:* cpe:2.3:a:apache:struts:2.5.9:* cpe:2.3:a:apache:struts:2.5.8:* cpe:2.3:a:apache… |
2024-11-21 12:36 2017-07-14 |
Show | GitHub Exploit DB Packet Storm | ||||
| 26 |
5.9 4.3 |
MEDIUM
Network |
If an application allows enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validati… |
CWE-20
Improper Input Validation |
CVE-2017-7672 |
cpe:2.3:a:apache:struts:2.5:* cpe:2.3:a:apache:struts:2.5.8:* cpe:2.3:a:apache:struts:2.5.5:* cpe:2.3:a:apache… |
2024-11-21 12:32 2017-07-14 |
Show | GitHub Exploit DB Packet Storm | ||||
| 27 |
9.8 7.5 |
CRITICAL
Network |
The Struts 1 plugin in Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage. |
CWE-20
Improper Input Validation |
CVE-2017-9791 |
cpe:2.3:a:apache:struts:2.3.8:* cpe:2.3:a:apache:struts:2.3.7:* cpe:2.3:a:apache:struts:2.3.4:* cpe:2.3:a:apac… |
2026-04-22 01:59 2017-07-11 |
Show | GitHub Exploit DB Packet Storm | ||||
| 28 |
9.8 10.0 |
CRITICAL
Network |
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows r… |
CWE-755
Improper Handling of Exceptional Conditions |
CVE-2017-5638 | cpe:2.3:a:apache:struts:*:* |
2.2.3 2.5.0 |
|
|
2.3.32 2.5.10.1 |
2026-04-22 02:04 2017-03-11 |
Show | GitHub Exploit DB Packet Storm |
| 29 |
9.8 7.5 |
CRITICAL
Network |
Apache Struts 2 before 2.3.29 and 2.5.x before 2.5.1 allow attackers to have unspecified impact via vectors related to improper action name clean up. |
NVD-CWE-noinfo
|
CVE-2016-4436 |
cpe:2.3:a:apache:struts:2.5:beta3 cpe:2.3:a:apache:struts:2.5:beta2 cpe:2.3:a:apache:struts:2.5:beta1 cpe:2.3:… |
2024-11-21 11:52 2016-10-4 |
Show | GitHub Exploit DB Packet Storm | ||||
| 30 |
5.3 5.0 |
MEDIUM
Network |
The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field. |
CWE-20
Improper Input Validation |
CVE-2016-4465 |
cpe:2.3:a:apache:struts:2.5:beta3 cpe:2.3:a:apache:struts:2.5:beta2 cpe:2.3:a:apache:struts:2.5:beta1 cpe:2.3:… |
2024-11-21 11:52 2016-07-5 |
Show | GitHub Exploit DB Packet Storm |