Product:

Struts

(Apache)
Repositories https://github.com/kawasima/struts1-forever
#Vulnerabilities 84
Date Id Summary Products Score Patch Annotated
2023-06-14 CVE-2023-34149 Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater. Struts 6.5
2023-06-14 CVE-2023-34396 Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater Struts 7.5
2006-03-30 CVE-2006-1546 Apache Software Foundation (ASF) Struts before 1.2.9 allows remote attackers to bypass validation via a request with a 'org.apache.struts.taglib.html.Constants.CANCEL' parameter, which causes the action to be canceled but would not be detected from applications that do not use the isCancelled check. Struts N/A
2014-04-30 CVE-2014-0114 Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1. Commons_beanutils, Struts N/A
2016-06-07 CVE-2016-3093 Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors. Struts, Ognl 5.3
2019-12-05 CVE-2012-1592 A local code execution issue exists in Apache Struts2 when processing malformed XSLT files, which could let a malicious user upload and execute arbitrary files. Struts 8.8
2022-04-12 CVE-2021-31805 The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation. Struts 9.8
2020-12-11 CVE-2020-17530 Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25. Struts, Business_intelligence, Communications_diameter_intelligence_hub, Communications_policy_management, Communications_pricing_design_center, Financial_services_data_integration_hub, Hospitality_opera_5, Mysql_enterprise_monitor 9.8
2020-09-14 CVE-2019-0233 An access permission override in Apache Struts 2.0.0 to 2.5.20 may cause a Denial of Service when performing a file upload. Struts, Communications_policy_management, Financial_services_data_integration_hub, Financial_services_market_risk_measurement_and_management, Mysql_enterprise_monitor 7.5
2012-01-08 CVE-2012-0392 The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method. Struts N/A