CVE-2016-4438
Published on: 07/04/2016 12:00:00 AM UTC
Last Modified on: 03/23/2021 11:26:58 PM UTC
Certain versions of Struts from Apache contain the following vulnerability:
The REST plugin in Apache Struts 2 2.3.19 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression.
- CVE-2016-4438 has been assigned by
[email protected] to track the vulnerability - currently rated as - currently rated as CRITICAL severity.
CVSS3 Score: 9.8 - CRITICAL
Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
|
---|---|---|---|---|
NETWORK | LOW | NONE | NONE | |
Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
|
UNCHANGED | HIGH | HIGH | HIGH |
CVSS2 Score: 7.5 - HIGH
Access Vector ⓘ |
Access Complexity |
Authentication |
---|---|---|
NETWORK | LOW | NONE |
Confidentiality Impact |
Integrity Impact |
Availability Impact |
PARTIAL | PARTIAL | PARTIAL |
CVE References
Description | Tags ⓘ | Link |
---|---|---|
Apache Struts CVE-2016-4438 Remote Code Execution Vulnerability | Third Party Advisory cve.report (archive) text/html |
![]() |
JVN#07710476: Apache Struts 2 vulnerable to remote code execution | Vendor Advisory jvn.jp text/xml |
![]() |
No Description Provided | VDB Entry Vendor Advisory jvndb.jvn.jp text/html |
![]() |
S2-037 | Vendor Advisory struts.apache.org text/html |
![]() |
1348238 – (CVE-2016-4438) CVE-2016-4438 struts: Possible RCE via REST plugin | Issue Tracking Third Party Advisory VDB Entry bugzilla.redhat.com text/html |
![]() |
Oracle Critical Patch Update - July 2017 | www.oracle.com text/html |
![]() |
There are currently no QIDs associated with this CVE
Known Affected Configurations (CPE V2.3)
Type | Vendor | Product | Version | Update | Edition | Language |
---|---|---|---|---|---|---|
Application | Apache | Struts | 2.3.20 | All | All | All |
Application | Apache | Struts | 2.3.20.1 | All | All | All |
Application | Apache | Struts | 2.3.20.3 | All | All | All |
Application | Apache | Struts | 2.3.24 | All | All | All |
Application | Apache | Struts | 2.3.24.1 | All | All | All |
Application | Apache | Struts | 2.3.24.3 | All | All | All |
Application | Apache | Struts | 2.3.28 | All | All | All |
Application | Apache | Struts | 2.3.20 | All | All | All |
Application | Apache | Struts | 2.3.20.1 | All | All | All |
Application | Apache | Struts | 2.3.20.3 | All | All | All |
Application | Apache | Struts | 2.3.24 | All | All | All |
Application | Apache | Struts | 2.3.24.1 | All | All | All |
Application | Apache | Struts | 2.3.24.3 | All | All | All |
Application | Apache | Struts | 2.3.28 | All | All | All |
- cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:*:
- cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:*:
- cpe:2.3:a:apache:struts:2.3.20.3:*:*:*:*:*:*:*:
- cpe:2.3:a:apache:struts:2.3.24:*:*:*:*:*:*:*:
- cpe:2.3:a:apache:struts:2.3.24.1:*:*:*:*:*:*:*:
- cpe:2.3:a:apache:struts:2.3.24.3:*:*:*:*:*:*:*:
- cpe:2.3:a:apache:struts:2.3.28:*:*:*:*:*:*:*:
- cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:*:
- cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:*:
- cpe:2.3:a:apache:struts:2.3.20.3:*:*:*:*:*:*:*:
- cpe:2.3:a:apache:struts:2.3.24:*:*:*:*:*:*:*:
- cpe:2.3:a:apache:struts:2.3.24.1:*:*:*:*:*:*:*:
- cpe:2.3:a:apache:struts:2.3.24.3:*:*:*:*:*:*:*:
- cpe:2.3:a:apache:struts:2.3.28:*:*:*:*:*:*:*:
No vendor comments have been submitted for this CVE