Software Detail
Title
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
Number of items displayed
Struts Number Of NVD 84 CRITICAL 15 HIGH 34 MEDIUM 34 LOW 1
URL https://struts.apache.org
Explanation It is an MVC framework for web applications for Java developed by the Apache Software Foundation.
It is open source and can be used free of charge.

It has been found several times to have highly urgent vulnerabilities such as the ability to execute commands remotely, and incidents such as information leaks have occurred by exploiting these vulnerabilities.

The development of Struts1 started in early 2000, and quite a number of companies have been using it.

Struts1 is no longer supported.
Tag
  • Java
  • Apache License v2.0
Add Information URL
No Type Name URL
1 https://struts.apache.org/struts1eol-announcement.html
2 https://struts.apache.org/download.cgi
3 https://struts.apache.org/releases.html
4 https://github.com/apache/struts1
5 https://github.com/apache/struts
6 https://cwiki.apache.org/confluence/display/WW/Security+Bulletins
7 https://struts.apache.org/struts23-eol-announcement
List Of Product  [ Click to show release history and vulnerability information ]
No Name Latest Version Release date Initial release Normal Support Security Support
Service Pack Support		 Extended
for a fee		 Critical High Medium Low
41 Struts 6 6.7.0 Nov. 17, 2024 June 6, 2022 1 1 1 0
42 Struts 2.5 2.5.33 April 4, 2022 May 5, 2016 Oct. 30, 2023 April 30, 2024 7 9 5 0
43 Struts 2.3 2.3.37 Dec. 30, 2018 Dec. 9, 2011 Nov. 14, 2018 April 14, 2019 14 26 19 0
44 Struts 2.2 2.2.3.1 Sept. 7, 2011 June 29, 2010 Dec. 18, 2011 10 21 20 1
45 Struts 2.1 2.1.8.1 Nov. 11, 2009 Oct. 29, 2007 Dec. 18, 2011 9 21 21 1
46 Struts 2.0 2.0.15 Nov. 17, 2008 Sept. 25, 2006 Dec. 18, 2011 9 20 23 1
47 Struts 1 1.3.10 Dec. 7, 2014 May 1, 2000 April 5, 2013 0 7 5 0
NVD Vulnerability Information
  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW
No CVSS3
CVSS2		 Level
Attach Vector		 Title CWE CVE cpe23Uri or higher or less more than less than Update date
Published date		 Show Affected Exploit
PoC
Search
41 8.1
9.3 		HIGH
Network 		Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to … CWE-77
Command Injection 		CVE-2016-3081 cpe:2.3:a:apache:struts:2.3.8:*
cpe:2.3:a:apache:struts:2.3.7:*
cpe:2.3:a:apache:struts:2.3.4:*
cpe:2.3:a:apac… 		2024-11-21 11:49
2016-04-26 		Show GitHub Exploit DB Packet Storm
42 6.1
4.3 		MEDIUM
Network 		Cross-site scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to i… CWE-79
Cross-site Scripting 		CVE-2016-4003 cpe:2.3:a:apache:struts:*:* 2.0.0 2.3.24.1 2024-11-21 11:51
2016-04-13 		Show GitHub Exploit DB Packet Storm
43 6.1
4.3 		MEDIUM
Network 		Apache Struts 2.x before 2.3.25 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via unspec… CWE-79
Cross-site Scripting 		CVE-2016-2162 cpe:2.3:a:apache:struts:2.3.8:*
cpe:2.3:a:apache:struts:2.3.7:*
cpe:2.3:a:apache:struts:2.3.4:*
cpe:2.3:a:apac… 		2024-11-21 11:47
2016-04-13 		Show GitHub Exploit DB Packet Storm
44 8.8
9.0 		HIGH
Network 		Apache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. CWE-20
 Improper Input Validation  		CVE-2016-0785 cpe:2.3:a:apache:struts:*:* 2.0.0
2.3.21
2.3.24.1
2.3.20.3
 2024-11-21 11:42
2016-04-13 		Show GitHub Exploit DB Packet Storm
45 -
7.5 		HIGH The default exclude patterns (excludeParams) in Apache Struts 2.3.20 allow remote attackers to "compromise internal state of an application" via unspecified vectors. NVD-CWE-noinfo
CVE-2015-1831 cpe:2.3:a:apache:struts:2.3.20:* 2024-11-21 11:26
2015-07-16 		Show GitHub Exploit DB Packet Storm
46 -
6.8 		MEDIUM Apache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable <s:token/> values, which allows remote attackers to bypass the CSRF protection mechanism. CWE-352
 Origin Validation Error 		CVE-2014-7809 cpe:2.3:a:apache:struts:2.3.8:*
cpe:2.3:a:apache:struts:2.3.7:*
cpe:2.3:a:apache:struts:2.3.4:*
cpe:2.3:a:apac… 		2024-11-21 11:18
2014-12-11 		Show GitHub Exploit DB Packet Storm
47 -
5.8 		MEDIUM CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate… CWE-264
Permissions, Privileges, and Access Controls 		CVE-2014-0116 cpe:2.3:a:apache:struts:2.3.8:*
cpe:2.3:a:apache:struts:2.3.7:*
cpe:2.3:a:apache:struts:2.3.4:*
cpe:2.3:a:apac… 		2024-11-21 11:01
2014-05-8 		Show GitHub Exploit DB Packet Storm
48 -
7.5 		HIGH Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the … CWE-20
 Improper Input Validation  		CVE-2014-0114 cpe:2.3:a:apache:struts:1.3.8:*
cpe:2.3:a:apache:struts:1.3.5:*
cpe:2.3:a:apache:struts:1.3.10:*
cpe:2.3:a:apa… 		2024-11-21 11:01
2014-04-30 		Show GitHub Exploit DB Packet Storm
49 -
7.5 		HIGH CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" th… CWE-264
Permissions, Privileges, and Access Controls 		CVE-2014-0113 cpe:2.3:a:apache:struts:*:* 2.0.0 2.3.16.2 2024-11-21 11:01
2014-04-29 		Show GitHub Exploit DB Packet Storm
50 -
7.5 		HIGH ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code… CWE-264
Permissions, Privileges, and Access Controls 		CVE-2014-0112 cpe:2.3:a:apache:struts:*:* 2.0.0 2.3.16.2 2024-11-21 11:01
2014-04-29 		Show GitHub Exploit DB Packet Storm