CVE-2008-6505
published 2009-03-23CVE-2008-6505: Multiple directory traversal vulnerabilities in Apache Struts 2.0.x before 2.0.12 and 2.1.x before 2.1.3 allow remote attackers to read arbitrary files via a…
PriorityP348medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
72.52%
99.4th percentile
Multiple directory traversal vulnerabilities in Apache Struts 2.0.x before 2.0.12 and 2.1.x before 2.1.3 allow remote attackers to read arbitrary files via a ..%252f (encoded dot dot slash) in a URI with a /struts/ path, related to (1) FilterDispatcher in 2.0.x and (2) DefaultStaticContentLoader in 2.1.x.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://www.example.com:8080/struts2-blank-2.0.11.1/struts/..%252f..%252f..%252fWEB-INF/classess/example/Log\in.class/↗
- →Detect double-percent-encoded directory traversal sequences (%252f) in URI paths containing /struts/ — this is the core exploit pattern for CVE-2008-6505 targeting FilterDispatcher (2.0.x) and DefaultStaticContentLoader (2.1.x). ↗
- →Alert on HTTP requests where the URI contains /struts/ followed by ..%252f sequences, especially targeting sensitive paths such as WEB-INF/. ↗
- →Flag requests to /struts/.. (unencoded dot-dot) as a variant traversal attempt against vulnerable Struts 2.0.x endpoints. ↗
- ·Vulnerability affects Apache Struts 2.0.x before 2.0.12 and 2.1.x before 2.1.3 only; patched versions are not susceptible. ↗
- ·The traversal is enabled by double URL-encoding (%252f = %2f after first decode = /); WAFs or proxies that only decode once may miss this bypass. ↗
- ·Files are read with the privileges of the webserver process, so impact scope depends on the webserver account's filesystem permissions. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Apache Struts directory traversal vulnerability
osv·2022-05-17
CVE-2008-6505 [MEDIUM] Apache Struts directory traversal vulnerability
Apache Struts directory traversal vulnerability
Multiple directory traversal vulnerabilities in Apache Struts 2.0.x before 2.0.12 and 2.1.x before 2.1.3 allow remote attackers to read arbitrary files via a `..%252f` (encoded dot dot slash) in a URI with a /struts/ path, related to (1) FilterDispatcher in 2.0.x and (2) DefaultStaticContentLoader in 2.1.x.
GHSA
Apache Struts directory traversal vulnerability
ghsa·2022-05-17
CVE-2008-6505 [MEDIUM] CWE-22 Apache Struts directory traversal vulnerability
Apache Struts directory traversal vulnerability
Multiple directory traversal vulnerabilities in Apache Struts 2.0.x before 2.0.12 and 2.1.x before 2.1.3 allow remote attackers to read arbitrary files via a `..%252f` (encoded dot dot slash) in a URI with a /struts/ path, related to (1) FilterDispatcher in 2.0.x and (2) DefaultStaticContentLoader in 2.1.x.
No detection rules found.
No writeups or analysis indexed.
http://issues.apache.org/struts/browse/WW-2779http://osvdb.org/49733http://osvdb.org/49734http://secunia.com/advisories/32497http://struts.apache.org/2.x/docs/s2-004.htmlhttp://www.securityfocus.com/bid/32104http://www.vupen.com/english/advisories/2008/3003http://issues.apache.org/struts/browse/WW-2779http://osvdb.org/49733http://osvdb.org/49734http://secunia.com/advisories/32497http://struts.apache.org/2.x/docs/s2-004.htmlhttp://www.securityfocus.com/bid/32104http://www.vupen.com/english/advisories/2008/3003
2009-03-23
Published