Apache Struts CVE List

CVE-2012-1007 - Not Affected

Disclosure Link

Parameters of the Struts Example Application are vulnerable to XSS.

Yellowfin does not ship with the Struts Example Application, and are not affected by the vulnerable parameters described here.

CVE-2013-2115 - Not Affected

Disclosure Link

Improper handling when using the includeParams attribute can lead to remote command execution with Apache Struts 2 before 2.3.14.2.

The includeParams attribute is not part of the Struts 1.x  framework.

CVE-2013-1966 - Not Affected

Disclosure Link

Improper handling when using the includeParams attribute can lead to remote command execution with Apache Struts 2 before 2.3.14.1.

The includeParams attribute is not part of the Struts 1.x framework.

CVE-2014-0114 - Not Affected

Disclosure Link

Failure to suppress the class property allows for remote attackers to execute arbitrary code through the class parameter.

This exploit was patched in Struts 1.3.10.12fc.  This item was tested by the Yellowfin Security team and has been confirmed as Not Affected.

CVE-2015-0899 - Not Affected

Disclosure Link

Vulnerability in the MultiPageValidator allows bypassing access restrictions via modified page parameter.

This exploit was patched in Struts 1.3.10.14fc.  A source code analysis confirmed that we do not utilize the MultiPageValidator class within our application.

CVE-2016-0785

Disclosure Link

Apache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute.

Struts 1.x uses a different tags system that is not compatible with Struts 2.x.  The vulnerable sequence is part of the Struts 2.x tag syntax.

CVE-2016-1181 - Not Affected

Disclosure Link

A vulnerability in ActionServlet.java that mishandles multithreaded access, allowing for code execution or DoS.

This item was patched in Struts 1.3.10.19fc.  We have applied a static patch to our bundled version of Struts 1.3.10.17fc to address this.  A source code analysis also revealed we are not utilizing the vulnerable classes.

CVE-2016-1182 - Not Affected

Disclosure Link

A vulnerability in ActionServlet.java allows XSS by improperly restricting the Validator configuration.

This item was patched in Struts 1.3.10.19fc. We have applied a static patch to our bundled version of Struts 1.3.10.17fc to address this. A source code analysis also revealed we are not utilizing the vulnerable classes.

CVE-2017-5638 - Not Affected

Disclosure Link

This relates to a vulnerability in Struts 2 using the Jakarta Multipart parser. It allows Content-type HTTP headers to be injected with a command string that executes remote code on the server.

This vulnerability is specific to the JakartaMultiPartRequest class, which is not part of the Struts 1.x framework.

CVE-2017-9805 - Not Affected

Disclosure Link

A vulnerability in the REST Plugin of Struts 2.x allows for deserialization without any type filtering, leading to Remote Code Execution.

The REST Plugin for Struts is only available with Struts 2.1.1 or later (reference link).  Yellowfin does not use the vulnerable component or classes.

CVE-2018-11776 - Not Affected

Disclosure Link

This vulnerability is listed against Struts 2, 2.3.x before 2.3.35 and 2.5.x before 2.5.17.  This is a Remote Code Execution (RCE) vulnerability when using the alwaysSelectFullNamespace flagged true and actions that are configured with no namespace or a wildcard namespace.

Struts 1 utilizes action mappings as opposed to the Struts 2 namespaces.

Is article helpful?