#Vulnerabilities 80
Date Id Summary Products Score Patch Annotated
2018-02-06 CVE-2017-7525 A deserialization flaw was discovered in the jackson-databind, versions before, and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. Struts, Debian_linux, Jackson\-Databind, Oncommand_balance, Oncommand_performance_manager, Oncommand_shift, Snapcenter, Banking_platform, Communications_billing_and_revenue_management, Communications_communications_policy_management, Communications_diameter_signaling_route, Communications_instant_messaging_server, Enterprise_manager_for_virtualization, Financial_services_analytical_applications_infrastructure, Global_lifecycle_management_opatchauto, Primavera_unifier, Utilities_advanced_spatial_and_operational_analytics, Webcenter_portal, Jboss_enterprise_application_platform, Openshift_container_platform, Virtualization, Virtualization_host 9.8
2020-12-11 CVE-2020-17530 Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25. Struts, Financial_services_data_integration_hub 9.8
2020-09-14 CVE-2019-0230 Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Struts, Financial_services_data_integration_hub, Financial_services_market_risk_measurement_and_management 9.8
2020-09-14 CVE-2019-0233 An access permission override in Apache Struts 2.0.0 to 2.5.20 may cause a Denial of Service when performing a file upload. Struts, Financial_services_data_integration_hub, Financial_services_market_risk_measurement_and_management 7.5
2012-01-08 CVE-2012-0392 The CookieInterceptor component in Apache Struts before does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method. Struts N/A
2017-03-11 CVE-2017-5638 The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string. Struts 10.0
2014-04-30 CVE-2014-0114 Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1. Commons_beanutils, Struts N/A
2020-02-27 CVE-2015-2992 Apache Struts before 2.3.20 has a cross-site scripting (XSS) vulnerability. Struts 6.1
2012-01-08 CVE-2012-0394 ** DISPUTED ** The DebuggingInterceptor component in Apache Struts before, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not "a security vulnerability itself." Struts N/A
2018-03-27 CVE-2018-1327 The Apache Struts REST Plugin is using XStream library which is vulnerable and allow perform a DoS attack when using a malicious request with specially crafted XML payload. Upgrade to the Apache Struts version 2.5.16 and switch to an optional Jackson XML handler as described here Another option is to implement a custom XML handler based on the Jackson XML handler from the Apache Struts 2.5.16. Struts 7.5