CVE-2016-6795
CRITICALApache Struts 2.3.x < 2.3.31 and 2.5.x < 2.5.5 - Remote Code Execution via Path Traversal
Title source: llmDescription
In the Convention plugin in Apache Struts 2.3.x before 2.3.31, and 2.5.x before 2.5.5, it is possible to prepare a special URL which will be used for path traversal and execution of arbitrary code on server side.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20180629-0003/
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/93773
Vendor Advisory x_refsource_confirm
https://struts.apache.org/docs/s2-042.html
Scores
CVSS v3
9.8
EPSS
0.0473
EPSS Percentile
89.5%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-22
Status
published
Products (21)
apache/struts
2.3.20
apache/struts
2.3.20.1
apache/struts
2.3.20.2
apache/struts
2.3.20.3
apache/struts
2.3.21
apache/struts
2.3.22
apache/struts
2.3.23
apache/struts
2.3.24
apache/struts
2.3.24.1
apache/struts
2.3.24.2
... and 11 more
Published
Sep 20, 2017
Tracked Since
Feb 18, 2026