Vulnerability Details : CVE-2018-11776
Public exploit exists!
Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace.
Vulnerability category: Execute code
Products affected by CVE-2018-11776
- cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*
- Oracle » Mysql Enterprise MonitorVersions from including (>=) 8.0.0 and up to, including, (<=) 8.0.2.8191cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*
- Oracle » Mysql Enterprise MonitorVersions from including (>=) 4.0.0 and up to, including, (<=) 4.0.6.5281cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_policy_management:*:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:vmware_vsphere:*:*
- cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:windows:*:*
CVE-2018-11776 is in the CISA Known Exploited Vulnerabilities Catalog
CISA vulnerability name:
Apache Struts Remote Code Execution Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
Apache Struts contains a vulnerability that allows for remote code execution under two circumstances. One, where the alwaysSelectFullNamespace option is true and the value isn't set for a result defined in underlying configurations and in same time, its upper package configuration have no or wildcar
Notes:
https://nvd.nist.gov/vuln/detail/CVE-2018-11776
Added on
2021-11-03
Action due date
2022-05-03
Exploit prediction scoring system (EPSS) score for CVE-2018-11776
97.33%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2018-11776
-
Apache Struts 2 Namespace Redirect OGNL Injection
Disclosure Date: 2018-08-22First seen: 2020-04-26exploit/multi/http/struts2_namespace_ognlThis module exploits a remote code execution vulnerability in Apache Struts version 2.3 - 2.3.4, and 2.5 - 2.5.16. Remote Code Execution can be performed via an endpoint that makes use of a redirect action. Note that this exploit is dependant on the version of Tomca
CVSS scores for CVE-2018-11776
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.3
|
HIGH | AV:N/AC:M/Au:N/C:C/I:C/A:C |
8.6
|
10.0
|
NIST | |
8.1
|
HIGH | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
2.2
|
5.9
|
NIST | |
8.1
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
2.2
|
5.9
|
NIST | 2024-07-25 |
References for CVE-2018-11776
-
https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E
Apache Software Foundation Security Report: 2019 - Pony Mail
-
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
CPU Oct 2018Patch;Third Party Advisory
-
https://www.exploit-db.com/exploits/45367/
Apache Struts 2 - Namespace Redirect OGNL Injection (Metasploit)Exploit;Third Party Advisory;VDB Entry
-
https://www.oracle.com/security-alerts/cpujul2020.html
Oracle Critical Patch Update Advisory - July 2020Third Party Advisory
-
https://cwiki.apache.org/confluence/display/WW/S2-057
S2-057 - DEPRECATED: Apache Struts 2 Documentation - Apache Software FoundationIssue Tracking;Third Party Advisory
-
https://www.exploit-db.com/exploits/45262/
Apache Struts 2.3 < 2.3.34 / 2.5 < 2.5.16 - Remote Code Execution (2)Exploit;Third Party Advisory;VDB Entry
-
https://security.netapp.com/advisory/ntap-20180822-0001/
CVE-2018-11776 Apache Struts Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
http://www.securitytracker.com/id/1041888
MySQL Multiple Flaws Let Remote Users Gain Elevated Privileges, Remote Authenticated Users Access and Modify Data, and Remote and Local Users Deny Service - SecurityTrackerBroken Link;Third Party Advisory;VDB Entry
-
https://lgtm.com/blog/apache_struts_CVE-2018-11776
CVE-2018-11776: How to find 5 RCEs in Apache Struts with Semmle QL - Blog - LGTMExploit;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20181018-0002/
October 2018 MySQL Vulnerabilities in NetApp Products | NetApp Product SecurityThird Party Advisory
-
http://packetstormsecurity.com/files/172830/Apache-Struts-Remote-Code-Execution.html
Apache Struts Remote Code Execution ≈ Packet StormThird Party Advisory;VDB Entry
-
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
Oracle Critical Patch Update - January 2019Patch;Third Party Advisory
-
http://www.securityfocus.com/bid/105125
Apache Struts CVE-2018-11776 Remote Code Execution VulnerabilityBroken Link;Third Party Advisory;VDB Entry
-
https://www.exploit-db.com/exploits/45260/
Apache Struts 2.3 < 2.3.34 / 2.5 < 2.5.16 - Remote Code Execution (1)Exploit;Third Party Advisory;VDB Entry
-
https://github.com/hook-s3c/CVE-2018-11776-Python-PoC
GitHub - hook-s3c/CVE-2018-11776-Python-PoC: Working Python test and PoC for CVE-2018-11776, includes Docker labExploit;Third Party Advisory
-
http://www.oracle.com/technetwork/security-advisory/alert-cve-2018-11776-5072787.html
Oracle Security Alert CVE-2018-11776Patch;Third Party Advisory
-
https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E
Apache Software Foundation Security Report: 2019-Apache Mail ArchivesMailing List
-
http://www.securitytracker.com/id/1041547
Apache Struts Undefined Namespace Processing Lets Remote Users Execute Arbitrary Code on the Target System - SecurityTrackerBroken Link;Third Party Advisory;VDB Entry
-
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0012
SonicWall Security AdvisoryThird Party Advisory
-
http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-005.txt
Mailing List;Third Party Advisory
Jump to