Apache Struts CVE List

CVE-2013-2115 - Not Affected

Disclosure Link

Improper handling when using the includeParams attribute can lead to remote command execution with Apache Struts 2 before 2.3.14.2.

Triage against our application as it pertains to this listing shows Yellowfin is not affected.

CVE-2013-1966 - Not Affected

Disclosure Link

Improper handling when using the includeParams attribute can lead to remote command execution with Apache Struts 2 before 2.3.14.1.

Triage against our application as it pertains to this listing shows Yellowfin is not affected.

CVE-2017-5638 - Not Affected

This relates to a vulnerability in Struts 2 using the Jakarta Multipart parser. It allows Content-type HTTP headers to be injected with a command string that executes remote code on the server. This is listed as affecting:

Struts 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1.

Using the Struts showcase example application, I was able to successfully exploit these versions of Struts (2) and gain a remote shell to the server hosting the application.

I then used this same process against our Yellowfin application. Since this exploit specifically targets the above mentioned versions of Struts 2, the exploit was not successful.

CVE-2017-9805 - Not Affected

This vulnerability targets Struts 2.1.2 - 2.3.33 and 2.5.x before 2.5.13 and allows remote code execution when the REST plugin is in use. Using the Struts 2 Showcase sample application, I was successfully able to gain a remote shell on the hosting server with this exploit.

When targeting Yellowfin, the exploit was not successful. This is due to the version difference in Struts, as well as the lack of the REST plugin.

CVE-2018-11776 - Not Affected

Disclosure Link

This vulnerability is listed against Struts 2, 2.3.x before 2.3.35 and 2.5.x before 2.5.17.  This is a Remote Code Execution (RCE) vulnerability when using the alwaysSelectFullNamespace flagged true and actions that are configured with no namespace or a wildcard namespace.

Struts 1 does not feature either of these items in configurations, meaning Yellowfin is not vulnerable to this item.

Is article helpful?