CVE-2016-3087
Published: 7 June 2016
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an ! (exclamation mark) operator to the REST Plugin.
Notes
Author | Note |
---|---|
sbeattie | struts 2.x only |
Priority
Status
Package | Release | Status |
---|---|---|
libstruts1.2-java Launchpad, Ubuntu, Debian |
precise |
Not vulnerable
(struts 2.x only)
|
trusty |
Does not exist
(trusty was not-affected [struts 2.x only])
|
|
upstream |
Needs triage
|
|
wily |
Does not exist
|
|
xenial |
Does not exist
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 9.8 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |