CVE-2016-6795

CWE-22 — Path Traversal4 documents4 sources

Severity

9.8CRITICAL

EPSS

5.0%

top 10.23%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Struts Apache Struts

Timeline

PublishedSep 20

Latest updateMay 14

Description

In the Convention plugin in Apache Struts 2.3.x before 2.3.31, and 2.5.x before 2.5.5, it is possible to prepare a special URL which will be used for path traversal and execution of arbitrary code on server side.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶Mavenorg.apache.struts:struts2-convention-plugin2.3.0 — 2.3.31+1

▶NVDapache/struts18 versions+17

▶CVEListV5apache_software_foundation/apache_struts2.3.x before 2.3.31, 2.5.x before 2.5.5+1

🔴Vulnerability Details

OSV

Path Traversal in Apache Struts↗2022-05-14

▶

GHSA

Path Traversal in Apache Struts↗2022-05-14

▶

CVEList

CVE-2016-6795: In the Convention plugin in Apache Struts 2↗2017-09-20

▶