cbcvebase.
CVE-2008-6505
published 2009-03-23

CVE-2008-6505: Multiple directory traversal vulnerabilities in Apache Struts 2.0.x before 2.0.12 and 2.1.x before 2.1.3 allow remote attackers to read arbitrary files via a…

PriorityP348medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
72.52%
99.4th percentile
Multiple directory traversal vulnerabilities in Apache Struts 2.0.x before 2.0.12 and 2.1.x before 2.1.3 allow remote attackers to read arbitrary files via a ..%252f (encoded dot dot slash) in a URI with a /struts/ path, related to (1) FilterDispatcher in 2.0.x and (2) DefaultStaticContentLoader in 2.1.x.

Affected

7 ranges
VendorProductVersion rangeFixed in
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts
apachestruts

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://www.example.com:8080/struts2-blank-2.0.11.1/struts/..
urlhttp://www.example.com:8080/struts2-blank-2.0.11.1/struts/..%252f
urlhttp://www.example.com:8080/struts2-blank-2.0.11.1/struts/..%252f..%252f..%252fWEB-INF/classess/example/Log\in.class/
path/struts/..%252f
  • Detect double-percent-encoded directory traversal sequences (%252f) in URI paths containing /struts/ — this is the core exploit pattern for CVE-2008-6505 targeting FilterDispatcher (2.0.x) and DefaultStaticContentLoader (2.1.x).
  • Alert on HTTP requests where the URI contains /struts/ followed by ..%252f sequences, especially targeting sensitive paths such as WEB-INF/.
  • Flag requests to /struts/.. (unencoded dot-dot) as a variant traversal attempt against vulnerable Struts 2.0.x endpoints.
  • ·Vulnerability affects Apache Struts 2.0.x before 2.0.12 and 2.1.x before 2.1.3 only; patched versions are not susceptible.
  • ·The traversal is enabled by double URL-encoding (%252f = %2f after first decode = /); WAFs or proxies that only decode once may miss this bypass.
  • ·Files are read with the privileges of the webserver process, so impact scope depends on the webserver account's filesystem permissions.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.