Vulnerability Details : CVE-2018-11776

Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace.
Vulnerability category: Input validationExecute code
Published 2018-08-22 13:29:01
Updated 2023-06-12 07:15:10
View at NVD,
At least one public exploit which can be used to exploit this vulnerability exists!
CVE-2018-11776 is in the CISA Known Exploited Vulnerabilities Catalog
CISA vulnerability name:
Apache Struts Remote Code Execution Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
Apache Struts contains a vulnerability which allows for remote code execution under two circumstances. One, where the alwaysSelectFullNamespace option is true and the value isn't set for a result defined in underlying configurations and in same time, its upper package configuration have no or wildca
Added on 2021-11-03 Action due date 2022-05-03

Exploit prediction scoring system (EPSS) score for CVE-2018-11776

Probability of exploitation activity in the next 30 days: 97.56%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 100 % EPSS Score History EPSS FAQ

Metasploit modules for CVE-2018-11776

  • Apache Struts 2 Namespace Redirect OGNL Injection
    Disclosure Date : 2018-08-22
    This module exploits a remote code execution vulnerability in Apache Struts version 2.3 - 2.3.4, and 2.5 - 2.5.16. Remote Code Execution can be performed via an endpoint that makes use of a redirect action. Note that this exploit is dependant on the version of Tomcat running on the target. Versions of Tomcat starting with 7.0.88 currently don't support payloads larger than ~7.5kb. Windows Meterpreter sessions on Tomcat >=7.0.88 are currently not supported. Native payloads will be converted to executables and dropped in the server's temp dir. If this fails, try a cmd/* payload, which won't have to write to the disk. Authors: - Man Yue Mo - hook-s3c - asoto-r7 - wvu <[email protected]>

CVSS scores for CVE-2018-11776

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Source
[email protected]
[email protected]

CWE ids for CVE-2018-11776

  • The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
    Assigned by: [email protected] (Primary)

References for CVE-2018-11776

Products affected by CVE-2018-11776

This web site uses cookies for managing your session and website analytics (Google analytics) purposes as described in our privacy policy.
By using this web site you are agreeing to terms of use!