CVE-2016-0785Improper Input Validation in Apache Struts

CWE-20Improper Input ValidationCWE-74Injection7 documents6 sources
Severity
8.8HIGHNVD
EPSS
17.8%
top 4.86%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apache Struts
Timeline
PublishedApr 12
Latest updateMay 14

Description

Apache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages1 packages

NVDapache/struts2.0.02.3.20.3+1

🔴Vulnerability Details

4
OSV
Apache Struts RCE Vulnerability2022-05-14
GHSA
Apache Struts RCE Vulnerability2022-05-14
GHSA
Apache Struts forced double OGNL evaluation2022-05-14
CVEList
CVE-2016-0785: Apache Struts 22016-04-12

📋Vendor Advisories

1
Red Hat
struts2: forced double OGNL evaluation on raw input in tag attributes2016-04-13

💬Community

1
Bugzilla
CVE-2016-0785 struts2: forced double OGNL evaluation on raw input in tag attributes2016-04-13
CVE-2016-0785 — Improper Input Validation in Apache | cvebase