CVE-2020-17530
Known exploited
Public exploit
Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.
Max CVSS
9.8
EPSS Score
97.23%
Published
2020-12-11
Updated
2022-06-03
CISA KEV Added
2021-11-03
CVE-2019-0230
Public exploit
Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
Max CVSS
9.8
EPSS Score
95.36%
Published
2020-09-14
Updated
2022-12-02
CVE-2016-3081
Public exploit
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.
Max CVSS
9.3
EPSS Score
97.52%
Published
2016-04-26
Updated
2019-08-12
CVE-2014-0112
Public exploit
ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.
Max CVSS
7.5
EPSS Score
97.40%
Published
2014-04-29
Updated
2019-08-12
CVE-2014-0094
Public exploit
The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method.
Max CVSS
5.0
EPSS Score
97.09%
Published
2014-03-11
Updated
2019-08-12
CVE-2013-2251
Known exploited
Public exploit
Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.
Max CVSS
9.3
EPSS Score
97.42%
Published
2013-07-20
Updated
2020-10-20
CISA KEV Added
2022-03-25
CVE-2013-2115
Public exploit
Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. NOTE: this issue is due to an incomplete fix for CVE-2013-1966.
Max CVSS
9.3
EPSS Score
0.22%
Published
2013-07-10
Updated
2020-09-24
CVE-2013-1966
Public exploit
Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag.
Max CVSS
9.3
EPSS Score
1.86%
Published
2013-07-10
Updated
2019-08-12
CVE-2012-0394
Public exploit
The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not "a security vulnerability itself.
Max CVSS
6.8
EPSS Score
94.20%
Published
2012-01-08
Updated
2024-03-21
CVE-2012-0391
Known exploited
Public exploit
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.
Max CVSS
9.3
EPSS Score
36.44%
Published
2012-01-08
Updated
2018-11-23
CISA KEV Added
2022-01-21
CVE-2011-3923
Public exploit
Apache Struts before 2.3.1.2 allows remote attackers to bypass security protections in the ParameterInterceptor class and execute arbitrary commands.
Max CVSS
9.8
EPSS Score
95.18%
Published
2019-11-01
Updated
2019-12-02
CVE-2010-1870
Public exploit
The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the "#" protection mechanism in ParameterInterceptors via the (1) #context, (2) #_memberAccess, (3) #root, (4) #this, (5) #_typeResolver, (6) #_classResolver, (7) #_traceEvaluations, (8) #_lastEvaluation, (9) #_keepLastEvaluation, and possibly other OGNL context variables, a different vulnerability than CVE-2008-6504.
Max CVSS
5.0
EPSS Score
6.17%
Published
2010-08-17
Updated
2020-10-20
12 vulnerabilities found