| Struts | Number Of NVD | 84 | CRITICAL | 15 | HIGH | 34 | MEDIUM | 34 | LOW | 1 |
| URL | https://struts.apache.org | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Explanation | It is an MVC framework for web applications for Java developed by the Apache Software Foundation. It is open source and can be used free of charge. It has been found several times to have highly urgent vulnerabilities such as the ability to execute commands remotely, and incidents such as information leaks have occurred by exploiting these vulnerabilities. The development of Struts1 started in early 2000, and quite a number of companies have been using it. Struts1 is no longer supported. |
||||||||
| Tag | |||||||||
| No | Type | Name | URL |
|---|---|---|---|
| 1 | https://struts.apache.org/struts1eol-announcement.html | ||
| 2 | https://struts.apache.org/download.cgi | ||
| 3 | https://struts.apache.org/releases.html | ||
| 4 | https://github.com/apache/struts1 | ||
| 5 | https://github.com/apache/struts | ||
| 6 | https://cwiki.apache.org/confluence/display/WW/Security+Bulletins | ||
| 7 | https://struts.apache.org/struts23-eol-announcement |
| No | Name | Latest Version | Release date | Initial release | Normal Support | Security Support Service Pack Support |
Extended for a fee |
Critical | High | Medium | Low |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 31 | Struts 6 | 6.7.0 | Nov. 17, 2024 | June 6, 2022 | 1 | 1 | 1 | 0 | |||
| 32 | Struts 2.5 | 2.5.33 | April 4, 2022 | May 5, 2016 | Oct. 30, 2023 | April 30, 2024 | 7 | 9 | 5 | 0 | |
| 33 | Struts 2.3 | 2.3.37 | Dec. 30, 2018 | Dec. 9, 2011 | Nov. 14, 2018 | April 14, 2019 | 14 | 26 | 19 | 0 | |
| 34 | Struts 2.2 | 2.2.3.1 | Sept. 7, 2011 | June 29, 2010 | Dec. 18, 2011 | 10 | 21 | 20 | 1 | ||
| 35 | Struts 2.1 | 2.1.8.1 | Nov. 11, 2009 | Oct. 29, 2007 | Dec. 18, 2011 | 9 | 21 | 21 | 1 | ||
| 36 | Struts 2.0 | 2.0.15 | Nov. 17, 2008 | Sept. 25, 2006 | Dec. 18, 2011 | 9 | 20 | 23 | 1 | ||
| 37 | Struts 1 | 1.3.10 | Dec. 7, 2014 | May 1, 2000 | April 5, 2013 | 0 | 7 | 5 | 0 |
| No | CVSS3 CVSS2 |
Level Attach Vector |
Title | CWE | CVE | cpe23Uri | or higher | or less | more than | less than | Update date Published date |
Show Affected | Exploit PoC Search |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 31 |
9.8 7.5 |
CRITICAL
Network |
The REST plugin in Apache Struts 2 2.3.19 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression. |
CWE-20
Improper Input Validation |
CVE-2016-4438 |
cpe:2.3:a:apache:struts:2.3.28:* cpe:2.3:a:apache:struts:2.3.24:* cpe:2.3:a:apache:struts:2.3.24.3:* cpe:2.3:a… |
2024-11-21 11:52 2016-07-5 |
Show | GitHub Exploit DB Packet Storm | ||||
| 32 |
7.5 5.0 |
HIGH
Network |
Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request. |
CWE-20
Improper Input Validation |
CVE-2016-4433 |
cpe:2.3:a:apache:struts:2.3.28:* cpe:2.3:a:apache:struts:2.3.24:* cpe:2.3:a:apache:struts:2.3.24.3:* cpe:2.3:a… |
2024-11-21 11:52 2016-07-5 |
Show | GitHub Exploit DB Packet Storm | ||||
| 33 |
7.5 5.0 |
HIGH
Network |
Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks by leveraging a default method. |
CWE-20
Improper Input Validation |
CVE-2016-4431 |
cpe:2.3:a:apache:struts:2.3.28:* cpe:2.3:a:apache:struts:2.3.24:* cpe:2.3:a:apache:struts:2.3.24.3:* cpe:2.3:a… |
2024-11-21 11:52 2016-07-5 |
Show | GitHub Exploit DB Packet Storm | ||||
| 34 |
8.8 6.8 |
HIGH
Network |
Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors. |
CWE-352
Origin Validation Error |
CVE-2016-4430 |
cpe:2.3:a:apache:struts:2.3.28:* cpe:2.3:a:apache:struts:2.3.28.1:* cpe:2.3:a:apache:struts:2.3.24:* cpe:2.3:a… |
2024-11-21 11:52 2016-07-5 |
Show | GitHub Exploit DB Packet Storm | ||||
| 35 |
8.2 6.4 |
HIGH
Network |
ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a… |
CWE-20
Improper Input Validation |
CVE-2016-1182 |
cpe:2.3:a:apache:struts:1.3.9:* cpe:2.3:a:apache:struts:1.3.8:* cpe:2.3:a:apache:struts:1.3.7:* cpe:2.3:a:apac… |
2024-11-21 11:45 2016-07-5 |
Show | GitHub Exploit DB Packet Storm | ||||
| 36 |
8.1 6.8 |
HIGH
Network |
ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of servic… |
NVD-CWE-noinfo
|
CVE-2016-1181 |
cpe:2.3:a:apache:struts:1.3.9:* cpe:2.3:a:apache:struts:1.3.8:* cpe:2.3:a:apache:struts:1.3.7:* cpe:2.3:a:apac… |
2024-11-21 11:45 2016-07-5 |
Show | GitHub Exploit DB Packet Storm | ||||
| 37 |
7.5 5.0 |
HIGH
Network |
The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter. |
CWE-20
Improper Input Validation |
CVE-2015-0899 |
cpe:2.3:a:apache:struts:1.3.8:* cpe:2.3:a:apache:struts:1.3.5:* cpe:2.3:a:apache:struts:1.3.10:* cpe:2.3:a:apa… |
2024-11-21 11:23 2016-07-5 |
Show | GitHub Exploit DB Packet Storm | ||||
| 38 |
5.3 5.0 |
MEDIUM
Network |
Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web sit… |
CWE-20
Improper Input Validation |
CVE-2016-3093 |
cpe:2.3:a:apache:struts:2.3.8:* cpe:2.3:a:apache:struts:2.3.7:* cpe:2.3:a:apache:struts:2.3.4:* cpe:2.3:a:apac… |
2024-11-21 11:49 2016-06-8 |
Show | GitHub Exploit DB Packet Storm | ||||
| 39 |
9.8 7.5 |
CRITICAL
Network |
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an ! (ex… |
CWE-20
Improper Input Validation |
CVE-2016-3087 |
cpe:2.3:a:apache:struts:2.3.28:* cpe:2.3:a:apache:struts:2.3.24:* cpe:2.3:a:apache:struts:2.3.24.1:* cpe:2.3:a… |
2024-11-21 11:49 2016-06-8 |
Show | GitHub Exploit DB Packet Storm | ||||
| 40 |
9.8 10.0 |
CRITICAL
Network |
XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter. |
CWE-20
Improper Input Validation |
CVE-2016-3082 |
cpe:2.3:a:apache:struts:2.3.8:* cpe:2.3:a:apache:struts:2.3.7:* cpe:2.3:a:apache:struts:2.3.4:* cpe:2.3:a:apac… |
2024-11-21 11:49 2016-04-26 |
Show | GitHub Exploit DB Packet Storm |