Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
apache struts |
And you'll definitely want to check out the libssh flaw
Oracle has released a wide-ranging security update to address more than 300 CVE-listed vulnerabilities in its various enterprise products. The October release covers the gamut of Oracle's offerings, including its flagship Database, E-Business Suite, and Fusion Middleware packages. For Database, the update addresses a total of three flaws. Two of the vulnerabilities (CVE-2018-3259 and CVE-2018-3299) can be remotely exploited without authentication, while the third, CVE-2018-7489, would require th...
Underground forums alight with Struts chat, we hear Apache's latest SNAFU – Struts normal, all fscked up: Web app framework needs urgent patching Equifax's disastrous Struts patching blunder: THOUSANDS of other orgs did it too
A recently uncovered critical vulnerability in Apache Struts is already being exploited in the wild. Threat intel firm Volexity has warned that hackers are abusing the CVE-2018-11776 vuln to attack systems running Apache Struts 2, a popular open-source framework for developing applications in Java. Specifically, some nasty characters have abused the flaw while trying to install the CNRig cryptocurrency miner, researchers said. The vulnerability appears to be easier to exploit than the Struts fla...
Paging Equifax: Time to update again, fellas
Another critical security hole has been found in Apache Struts 2, requiring an immediate update. The vulnerability – CVE-2018-11776 – affects core code and allows miscreants to pull off remote code execution against vulnerable servers and websites. It affects all versions of Struts 2, the popular open-source framework for Java web apps. The Apache Software Foundation has "urgently advised" anyone using Struts to update to the latest version immediately, noting that the last time a critical h...