Описание
Apache Struts RCE Vulnerability
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2016-3081
- https://struts.apache.org/docs/s2-032.html
- https://web.archive.org/web/20210123152457/http://www.securityfocus.com/bid/91787
- https://web.archive.org/web/20210225192113/http://www.securityfocus.com/bid/87327
- https://web.archive.org/web/20210226011418/http://www.securitytracker.com/id/1035665
- https://www.exploit-db.com/exploits/39756
- http://packetstormsecurity.com/files/136856/Apache-Struts-2.3.28-Dynamic-Method-Invocation-Remote-Code-Execution.html
- http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20160527-01-struts2-en
- http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
- http://www.rapid7.com/db/modules/exploit/linux/http/struts_dmi_exec
- http://www.rapid7.com/db/modules/exploit/multi/http/struts_dmi_exec
Пакеты
org.apache.struts:struts2-core
>= 2.3.19, <= 2.3.20.2
2.3.20.3
org.apache.struts:struts2-core
>= 2.3.21, <= 2.3.24.2
2.3.24.3
org.apache.struts:struts2-core
>= 2.3.25, <= 2.3.28
2.3.28.1
Связанные уязвимости
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2. ...
Уязвимость реализации механизма Dynamic Method Invocation (DMI) программной платформы Apache Struts, позволяющая нарушителю выполнить произвольный код