CVE-2016-3087
Description
Apache Struts vulnerable to arbitrary remote code execution due to improper input validation
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Apache Struts - REST Plugin With Dynamic Method Invocation Remote Code Execution (Metasploit)
Apache Struts - REST Plugin With Dynamic Method Invocation Remote Code Execution
Metasploit modules
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Maven | org.apache.struts:struts2-core | >=2.3.19,<2.3.20.3 | 2.3.20.3 |
| Maven | org.apache.struts:struts2-core | >=2.3.21,<2.3.24.3 | 2.3.24.3 |
| Maven | org.apache.struts:struts2-core | >=2.3.25,<2.3.28.1 | 2.3.28.1 |
References
- http://struts.apache.org/docs/s2-033.html
- http://www-01.ibm.com/support/docview.wss?uid=swg21987854
- http://www.securityfocus.com/bid/90960
- http://www.securitytracker.com/id/1036017
- https://www.exploit-db.com/exploits/39919/
- https://nvd.nist.gov/vuln/detail/CVE-2016-3087
- https://github.com/apache/struts/commit/6bd694b7980494c12d49ca1bf39f12aec3e03e2f
- https://github.com/apache/struts
- https://web.archive.org/web/20160616082237/http://www.securitytracker.com/id/1036017
- https://web.archive.org/web/20160728170709/http://www.securityfocus.com/bid/90960
- https://www.exploit-db.com/exploits/39919
CWEs
CWE-20
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.