Lucene search

ApacheCVE-2018-11776

HistoryAug 22, 2018 - 1:29 p.m.

CVE-2018-11776

2018-08-2213:29:00

apache

web.nvd.nist.gov

1442

In Wild

cve

2018

11776

apache struts

remote code execution

input validation

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

8.4

Confidence

High

EPSS

0.975

Percentile

100.0%

JSON

Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn’t have value and action set and in same time, its upper package have no or wildcard namespace.

Affected configurations

Nvd

Vulners

Node

apachestrutsRange2.0.4–2.3.35

apachestrutsRange2.5.0–2.5.17

Node

netappactive_iq_unified_managerRange7.3≥windows

netappactive_iq_unified_managerRange9.5≥vmware_vsphere

netapponcommand_insightMatch-

netapponcommand_workflow_automationMatch-

netappsnapcenterMatch-

Node

oraclecommunications_policy_managementRange<12.5.0

oracleenterprise_manager_base_platformMatch13.3.0.0

oracleenterprise_manager_base_platformMatch13.4.0.0

oraclemysql_enterprise_monitorRange≤3.4.9.4237

oraclemysql_enterprise_monitorRange4.0.0–4.0.6.5281

oraclemysql_enterprise_monitorRange8.0.0–8.0.2.8191

VendorProductVersionCPE
apachestruts*cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*
netappactive_iq_unified_manager*cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:windows:*:*
netappactive_iq_unified_manager*cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:vmware_vsphere:*:*
netapponcommand_insight-cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
netapponcommand_workflow_automation-cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*
netappsnapcenter-cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
oraclecommunications_policy_management*cpe:2.3:a:oracle:communications_policy_management:*:*:*:*:*:*:*:*
oracleenterprise_manager_base_platform13.3.0.0cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0:*:*:*:*:*:*:*
oracleenterprise_manager_base_platform13.4.0.0cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*
oraclemysql_enterprise_monitor*cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	struts	*	cpe:2.3:a:apache:struts::::::::
netapp	active_iq_unified_manager	*	cpe:2.3:a:netapp:active_iq_unified_manager::::::windows::*
netapp	active_iq_unified_manager	*	cpe:2.3:a:netapp:active_iq_unified_manager::::::vmware_vsphere::*
netapp	oncommand_insight	-	cpe:2.3:a:netapp:oncommand_insight:-:::::::*
netapp	oncommand_workflow_automation	-	cpe:2.3:a:netapp:oncommand_workflow_automation:-:::::::*
netapp	snapcenter	-	cpe:2.3:a:netapp:snapcenter:-:::::::*
oracle	communications_policy_management	*	cpe:2.3:a:oracle:communications_policy_management::::::::
oracle	enterprise_manager_base_platform	13.3.0.0	cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0:::::::*
oracle	enterprise_manager_base_platform	13.4.0.0	cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:::::::*
oracle	mysql_enterprise_monitor	*	cpe:2.3:a:oracle:mysql_enterprise_monitor::::::::

CNA Affected

[
  {
    "vendor": "Apache Software Foundation",
    "product": "Apache Struts",
    "versions": [
      {
        "version": "2.3 to 2.3.34",
        "status": "affected"
      },
      {
        "version": "2.5 to 2.5.16",
        "status": "affected"
      }
    ]
  }
]