CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
94.6%
Vulnerability Details:
This vulnerability may allow remote attackers to execute arbitrary code on applications utilizing affected installations of Apache Struts. Depending on the context, authentication may not be required to exploit this vulnerability.
The specific flaw exists within the underlying http parameter parsing logic. The issue results from the control specific http parameters by allowing the attacker to specify uppercase characters. An attacker can leverage this vulnerability to trigger a directory traversal which may result in the execution of arbitrary code in the context of the application.
Affected Vendors:
Apache
Affected Products:
Struts 2.0.0 - Struts 2.3.37, Struts 2.5.0 - Struts 2.5.32, Struts 6.0.0 - Struts 6.3.0
Vendor Response:
Apache has issued an update to correct this vulnerability. More details can be found at: <https://cwiki.apache.org/confluence/display/WW/S2-066>