CVE-2008-6505

Apache Struts 2.0.0-2.0.11 and 2.1.0-2.1.2 - Path Traversal via Encoded Dot-Dot-Slash in URI

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-6505. PoCs published by Csaba Barta.

AI-analyzed exploit summary This exploit demonstrates directory traversal vulnerabilities in Apache Struts versions prior to 2.0.12. It uses URL-encoded traversal sequences to access arbitrary files, such as those in the WEB-INF directory, by manipulating the path.

Description

Multiple directory traversal vulnerabilities in Apache Struts 2.0.x before 2.0.12 and 2.1.x before 2.1.3 allow remote attackers to read arbitrary files via a ..%252f (encoded dot dot slash) in a URI with a /struts/ path, related to (1) FilterDispatcher in 2.0.x and (2) DefaultStaticContentLoader in 2.1.x.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Csaba Barta · textremotemultiple

https://www.exploit-db.com/exploits/32565

View Code ZIP pw:eip

This exploit demonstrates directory traversal vulnerabilities in Apache Struts versions prior to 2.0.12. It uses URL-encoded traversal sequences to access arbitrary files, such as those in the WEB-INF directory, by manipulating the path.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Apache Struts < 2.0.12

No auth needed

Prerequisites: Access to the target web application

MITRE ATT&CK

T1006 - Direct Volume Access

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (7)

Core 7

Core References

Various Sources x_refsource_confirm

http://issues.apache.org/struts/browse/WW-2779

Vendor Advisory x_refsource_confirm

http://struts.apache.org/2.x/docs/s2-004.html

Vendor Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2008/3003

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/32497

Vendor Advisory vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/32104

Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb

http://osvdb.org/49733

Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb

http://osvdb.org/49734

Scores

EPSS 0.8310

EPSS Percentile 99.3%

Details

CWE

CWE-22

Status published

Products (8)

apache/struts 2.0.6

apache/struts 2.0.8

apache/struts 2.0.9

apache/struts 2.0.11

apache/struts 2.0.11.1

apache/struts 2.0.11.2

apache/struts 2.1.2_beta

org.apache.struts/struts2-core 2.0.0 - 2.0.12Maven

Published Mar 23, 2009

Tracked Since Feb 18, 2026