CVE-2016-3087

CRITICAL

Apache Struts < 2.3.20.3 - Improper Input Validation

Title source: rule

Description

Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an ! (exclamation mark) operator to the REST Plugin.

Exploits (3)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotemultiple

https://www.exploit-db.com/exploits/39919

View Code ZIP pw:eip

exploitdb WORKING POC

by nixawk · pythonremotemultiple

https://www.exploit-db.com/exploits/43382

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by Nixawk · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts_dmi_rest_exec.rb

View Code ZIP pw:eip

References (5)

[Vendor Advisory] http://struts.apache.org/docs/s2-033.html

[Various Sources] http://www-01.ibm.com/support/docview.wss?uid=swg21987854

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1036017

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/90960

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/39919/

Scores

CVSS v3 9.8

EPSS 0.8701

EPSS Percentile 99.4%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-20

Status published

Products (6)

apache/struts 2.3.20

apache/struts 2.3.20.1

apache/struts 2.3.24

apache/struts 2.3.24.1

apache/struts 2.3.28

org.apache.struts/struts2-core 2.3.19 - 2.3.20.3Maven

Published Jun 07, 2016

Tracked Since Feb 18, 2026