CVE-2016-6795
critical
CVSS v3
9.8
CVSS v2
7.5
VIR risk
9.8
Description
Path Traversal in Apache Struts
Predictions
Exploit likelihood
97%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: security@apache.org — https://struts.apache.org/docs/s2-042.html
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Maven | org.apache.struts:struts2-convention-plugin | >=2.3.0,<2.3.31 | 2.3.31 |
| Maven | org.apache.struts:struts2-convention-plugin | >=2.5.0,<2.5.5 | 2.5.5 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| apache | struts | 2.3.20 | |
| apache | struts | 2.3.20.1 | |
| apache | struts | 2.3.20.2 | |
| apache | struts | 2.3.20.3 | |
| apache | struts | 2.3.21 | |
| apache | struts | 2.3.22 | |
| apache | struts | 2.3.23 | |
| apache | struts | 2.3.24 | |
| apache | struts | 2.3.24.1 | |
| apache | struts | 2.3.24.2 | |
| apache | struts | 2.3.24.3 | |
| apache | struts | 2.3.25 | |
| apache | struts | 2.3.26 | |
| apache | struts | 2.3.27 | |
| apache | struts | 2.3.28 | |
| apache | struts | 2.3.28.1 | |
| apache | struts | 2.3.29 | |
| apache | struts | 2.3.30 | |
References
- http://www.securityfocus.com/bid/93773
- https://security.netapp.com/advisory/ntap-20180629-0003/
- https://struts.apache.org/docs/s2-042.html
- https://nvd.nist.gov/vuln/detail/CVE-2016-6795
- https://github.com/apache/struts/commit/8e67b9144aa643769b261e2492cb561e04d016ab
- https://github.com/apache/struts/commit/c1869f4989942dd33fa4e189e0ac1f766fb5ac14
- https://github.com/apache/struts
- https://security.netapp.com/advisory/ntap-20180629-0003
- https://web.archive.org/web/20200227214705/http://www.securityfocus.com/bid/93773
CWEs
CWE-22
Verify integrity in audit chain (admin only). AS-IS.