CVE-2016-4461

CWE-20Improper Input ValidationCWE-744 documents4 sources
Severity
8.8HIGH
EPSS
1.7%
top 17.70%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apache Struts
Timeline
PublishedOct 16
Latest updateMay 14

Description

Apache Struts 2.x before 2.3.29 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0785.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

NVDapache/struts2.0.02.3.29
Mavenorg.apache.struts:struts2-core2.0.02.3.29

🔴Vulnerability Details

3
OSV
Apache Struts forced double OGNL evaluation2022-05-14
GHSA
Apache Struts forced double OGNL evaluation2022-05-14
CVEList
CVE-2016-4461: Apache Struts 22017-10-16
CVE-2016-4461 (HIGH CVSS 8.8) | Apache Struts 2.x before 2.3.29 all | cvebase.io