Homepage
About Snyk

org.apache.struts:struts2-core@2.5.18 vulnerabilities

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.apache.struts:struts2-core package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • C
Remote Code Execution (RCE)

org.apache.struts:struts2-core is a popular open-source framework for developing web applications in the Java programming language.

Affected versions of this package are vulnerable to Remote Code Execution (RCE) via manipulation of file upload parameters that enable path traversal. Under certain conditions, uploading of a malicious file is possible, which may then be executed on the server.

How to fix Remote Code Execution (RCE)?

Upgrade org.apache.struts:struts2-core to version 2.5.33, 6.3.0.2 or higher.

[,2.5.33) [6.0.0,6.3.0.2)
  • M
Denial of Service

org.apache.struts:struts2-core is a popular open-source framework for developing web applications in the Java programming language.

Affected versions of this package are vulnerable to Denial of Service when certain fields exceed the maxStringLength limit during multipart requests. An attacker can exploit this to leave uploaded files in the struts.multipart.saveDir even after the request has been denied resulting in excessive disk usage.

How to fix Denial of Service?

Upgrade org.apache.struts:struts2-core to version 2.5.32, 6.1.2.2, 6.3.0.1 or higher.

[,2.5.32) [6.0.0,6.1.2.2) [6.2.0,6.3.0.1)
  • H
Allocation of Resources Without Limits or Throttling

org.apache.struts:struts2-core is a popular open-source framework for developing web applications in the Java programming language.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when it loads non-file regular form fields from a Multipart request into memory as Strings without verifying their sizes.

This vulnerability can be exploited if a developer has set struts.multipart.maxSize to a value equal to or greater than the available memory.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade org.apache.struts:struts2-core to version 2.5.31, 6.1.2.1 or higher.

[2.5.1,2.5.31) [6.1.2,6.1.2.1)
  • M
Allocation of Resources Without Limits or Throttling

org.apache.struts:struts2-core is a popular open-source framework for developing web applications in the Java programming language.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to improper handling of getProperty() by the XWorkListPropertyAccessor class. Exploiting this vulnerability is possible if the developer has set CreateIfNull to true for the underlying Collection type field.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade org.apache.struts:struts2-core to version 2.5.31, 6.1.2.1 or higher.

[2.0.0,2.5.31) [6.1.2,6.1.2.1)
  • H
Remote Code Execution (RCE)

org.apache.struts:struts2-core is a popular open-source framework for developing web applications in the Java programming language.

Affected versions of this package are vulnerable to Remote Code Execution (RCE). The fix issued for CVE-2020-17530 was incomplete. Some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.

How to fix Remote Code Execution (RCE)?

Upgrade org.apache.struts:struts2-core to version 2.5.30 or higher.

[2.0.0,2.5.30)
  • C
Remote Code Execution (RCE)

org.apache.struts:struts2-core is a popular open-source framework for developing web applications in the Java programming language.

Affected versions of this package are vulnerable to Remote Code Execution (RCE). The vulnerability exists due to improper input validation when processing certain tag's attributes. The application performs double evaluation of the code if a developer applied forced OGNL evaluation by using the %{...} syntax. A remote attacker can send a specially crafted request to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

How to fix Remote Code Execution (RCE)?

Upgrade org.apache.struts:struts2-core to version 2.5.26 or higher.

[2.0.0,2.5.26)
  • H
Denial of Service (DoS)

org.apache.struts:struts2-core is a popular open-source framework for developing web applications in the Java programming language.

Affected versions of this package are vulnerable to Denial of Service (DoS). When a file upload is performed to an Action that exposes the file with a getter, an attacker may manipulate the request such that the working copy of the uploaded file is set to read-only. As a result, subsequent actions on the file will fail with an error. It might also be possible to set the Servlet container's temp directory to read-only, such that subsequent upload actions will fail.

How to fix Denial of Service (DoS)?

Upgrade org.apache.struts:struts2-core to version 2.5.22 or higher.

[2.0.0,2.5.22)
  • C
Remote Code Execution (RCE)

org.apache.struts:struts2-core is a popular open-source framework for developing web applications in the Java programming language.

Affected versions of this package are vulnerable to Remote Code Execution (RCE). Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.

How to fix Remote Code Execution (RCE)?

Upgrade org.apache.struts:struts2-core to version 2.5.22 or higher.

[2.0.0,2.5.22)
Go back to all versions of this package