9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.2 High
AI Score
Confidence
Low
0.09 Low
EPSS
Percentile
94.7%
org.apache.struts: struts2-core is vulnerable to Remote Code Execution. The vulnerability is due to the HttpParameters
class in HttpParameters.java
failing to sanitize parameters with different cases. The remove
, get
and contains
methods treat parameters with different character cases as unique parameters, lacking case sensitivity checks. This allows attackers to manipulate file upload parameters, potentially leading to Path Traversal and Remote Code Execution.
CPE | Name | Operator | Version |
---|---|---|---|
struts 2 core | le | 2.5.32 | |
struts 2 core | le | 6.3.0.1 | |
struts 2 core | le | 2.5.32 | |
struts 2 core | le | 6.3.0.1 |
packetstormsecurity.com/files/176157/Struts-S2-066-File-Upload-Remote-Code-Execution.html
cwiki.apache.org/confluence/display/WW/S2-066
github.com/advisories/GHSA-2j39-qcjm-428w
github.com/apache/struts/commit/162e29fee9136f4bfd9b2376da2cbf590f9ea163
github.com/apache/struts/commit/d8c69691ef1d15e76a5f4fcf33039316da2340b6
lists.apache.org/thread/yh09b3fkf6vz5d6jdgrlvmg60lfwtqhj
security.netapp.com/advisory/ntap-20231214-0010/
www.openwall.com/lists/oss-security/2023/12/07/1
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.2 High
AI Score
Confidence
Low
0.09 Low
EPSS
Percentile
94.7%