Software Detail
Title
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
Number of items displayed
Struts Number Of NVD 84 CRITICAL 15 HIGH 34 MEDIUM 34 LOW 1
URL https://struts.apache.org
Explanation It is an MVC framework for web applications for Java developed by the Apache Software Foundation.
It is open source and can be used free of charge.

It has been found several times to have highly urgent vulnerabilities such as the ability to execute commands remotely, and incidents such as information leaks have occurred by exploiting these vulnerabilities.

The development of Struts1 started in early 2000, and quite a number of companies have been using it.

Struts1 is no longer supported.
Tag
  • Java
  • Apache License v2.0
Add Information URL
No Type Name URL
1 https://struts.apache.org/struts1eol-announcement.html
2 https://struts.apache.org/download.cgi
3 https://struts.apache.org/releases.html
4 https://github.com/apache/struts1
5 https://github.com/apache/struts
6 https://cwiki.apache.org/confluence/display/WW/Security+Bulletins
7 https://struts.apache.org/struts23-eol-announcement
List Of Product  [ Click to show release history and vulnerability information ]
No Name Latest Version Release date Initial release Normal Support Security Support
Service Pack Support		 Extended
for a fee		 Critical High Medium Low
61 Struts 6 6.7.0 Nov. 17, 2024 June 6, 2022 1 1 1 0
62 Struts 2.5 2.5.33 April 4, 2022 May 5, 2016 Oct. 30, 2023 April 30, 2024 7 9 5 0
63 Struts 2.3 2.3.37 Dec. 30, 2018 Dec. 9, 2011 Nov. 14, 2018 April 14, 2019 14 26 19 0
64 Struts 2.2 2.2.3.1 Sept. 7, 2011 June 29, 2010 Dec. 18, 2011 10 21 20 1
65 Struts 2.1 2.1.8.1 Nov. 11, 2009 Oct. 29, 2007 Dec. 18, 2011 9 21 21 1
66 Struts 2.0 2.0.15 Nov. 17, 2008 Sept. 25, 2006 Dec. 18, 2011 9 20 23 1
67 Struts 1 1.3.10 Dec. 7, 2014 May 1, 2000 April 5, 2013 0 7 5 0
NVD Vulnerability Information
  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW
No CVSS3
CVSS2		 Level
Attach Vector		 Title CWE CVE cpe23Uri or higher or less more than less than Update date
Published date		 Show Affected Exploit
PoC
Search
61 -
9.3 		HIGH Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled … CWE-94
Code Injection 		CVE-2013-1965 cpe:2.3:a:apache:struts:*:* 2.0.0 2.3.14.1 2024-11-21 10:50
2013-07-11 		Show GitHub Exploit DB Packet Storm
62 -
5.0 		MEDIUM Apache Struts 2.0.0 through 2.3.4 allows remote attackers to cause a denial of service (CPU consumption) via a long parameter name, which is processed as an OGNL expression. CWE-264
Permissions, Privileges, and Access Controls 		CVE-2012-4387 cpe:2.3:a:apache:struts:2.3.4:*
cpe:2.3:a:apache:struts:2.3.3:*
cpe:2.3:a:apache:struts:2.3.1:*
cpe:2.3:a:apac… 		2024-11-21 10:42
2012-09-6 		Show GitHub Exploit DB Packet Storm
63 -
6.8 		MEDIUM The token check mechanism in Apache Struts 2.0.0 through 2.3.4 does not properly validate the token name configuration parameter, which allows remote attackers to perform cross-site request forgery (… CWE-352
 Origin Validation Error 		CVE-2012-4386 cpe:2.3:a:apache:struts:2.3.4:*
cpe:2.3:a:apache:struts:2.3.3:*
cpe:2.3:a:apache:struts:2.3.1:*
cpe:2.3:a:apac… 		2024-11-21 10:42
2012-09-6 		Show GitHub Exploit DB Packet Storm
64 -
10.0 		HIGH Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execu… CWE-20
 Improper Input Validation  		CVE-2012-0838 cpe:2.3:a:apache:struts:*:* 2.0.0 2.2.3 2024-11-21 10:35
2012-03-3 		Show GitHub Exploit DB Packet Storm
65 -
4.3 		MEDIUM Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 1.3.10 allow remote attackers to inject arbitrary web script or HTML via (1) the name parameter to struts-examples/upload/upload-s… CWE-79
Cross-site Scripting 		CVE-2012-1007 cpe:2.3:a:apache:struts:1.3.10:* 2024-11-21 10:36
2012-02-7 		Show GitHub Exploit DB Packet Storm
66 -
4.3 		MEDIUM Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.0.14 and 2.2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) lastName parameter to strut… CWE-79
Cross-site Scripting 		CVE-2012-1006 cpe:2.3:a:apache:struts:2.2.3:*
cpe:2.3:a:apache:struts:2.0.14:* 		2024-11-21 10:36
2012-02-7 		Show GitHub Exploit DB Packet Storm
67 -
5.0 		MEDIUM Apache Struts 2.3.1.2 and earlier, 2.3.19-2.3.23, provides interfaces that do not properly restrict access to collections such as the session and request collections, which might allow remote attacke… CWE-264
Permissions, Privileges, and Access Controls 		CVE-2011-5057 cpe:2.3:a:apache:struts:*:* 2.0.0 2.3.3 2024-11-21 10:33
2012-01-9 		Show GitHub Exploit DB Packet Storm
68 9.8
9.3 		CRITICAL
Network 		The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allow… CWE-94
Code Injection 		CVE-2012-0391 cpe:2.3:a:apache:struts:*:* 2.2.3.1 2026-04-22 19:36
2012-01-9 		Show GitHub Exploit DB Packet Storm
69 -
6.8 		MEDIUM The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor chara… CWE-94
Code Injection 		CVE-2012-0394 cpe:2.3:a:apache:struts:*:* 2.0.0 2.3.17 2024-11-21 10:34
2012-01-9 		Show GitHub Exploit DB Packet Storm
70 -
6.4 		MEDIUM The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted p… CWE-264
Permissions, Privileges, and Access Controls 		CVE-2012-0393 cpe:2.3:a:apache:struts:*:* 2.1.0 2.3.1.1 2024-11-21 10:34
2012-01-9 		Show GitHub Exploit DB Packet Storm