org.apache.struts:struts-core@1.3.5 vulnerabilities

latest version

1.3.10
first published

18 years ago
latest version published

15 years ago
licenses detected
- Apache-2.0
  [1.3.5,)
package manager

View on Maven Repository

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.apache.struts:struts-core package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
H Arbitrary Code Execution org.apache.struts:struts-core is a free, open-source, MVC framework for creating Java web applications. Affected versions of this package are vulnerable to Arbitrary Code Execution where the class property is not suppressed. It allows remote attackers to "manipulate" the `ClassLoader` and to execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the `getClass` method of the `ActionForm` object in Struts 1. Note: `Struts1` has been deprecated. Users should use `Struts2` which is not vulnerable to this issue. How to fix Arbitrary Code Execution? A fix was pushed into the `master` branch but not yet published.	[0,)
H Arbitrary Code Injection org.apache.struts:struts-core is a free, open-source, MVC framework for creating Java web applications. Affected versions of this package are vulnerable to Arbitrary Code Injection. It allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect. How to fix Arbitrary Code Injection? There is no fixed version for `org.apache.struts:struts-core`.	[0,)

Arbitrary Code Execution

org.apache.struts:struts-core is a free, open-source, MVC framework for creating Java web applications.

Affected versions of this package are vulnerable to Arbitrary Code Execution where the class property is not suppressed. It allows remote attackers to "manipulate" the ClassLoader and to execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.

Note: Struts1 has been deprecated. Users should use Struts2 which is not vulnerable to this issue.

How to fix Arbitrary Code Execution?

A fix was pushed into the master branch but not yet published.

[0,)

Arbitrary Code Injection

org.apache.struts:struts-core is a free, open-source, MVC framework for creating Java web applications.

Affected versions of this package are vulnerable to Arbitrary Code Injection. It allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect.

How to fix Arbitrary Code Injection?

There is no fixed version for org.apache.struts:struts-core.

[0,)

Go back to all versions of this package

org.apache.struts:struts-core@1.3.5 vulnerabilities

latest version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities