{"api_version":"1","generated_at":"2026-04-22T16:28:19+00:00","cve":"CVE-2018-11776","urls":{"html":"https://cve.report/CVE-2018-11776","api":"https://cve.report/api/cve/CVE-2018-11776.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2018-11776","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2018-11776"},"summary":{"title":"CVE-2018-11776","description":"Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace.","state":"PUBLIC","assigner":"security@apache.org","published_at":"2018-08-22 13:29:00","updated_at":"2023-11-07 02:51:00"},"problem_types":["CWE-20"],"metrics":[],"references":[{"url":"https://www.exploit-db.com/exploits/45367/","name":"45367","refsource":"EXPLOIT-DB","tags":["Exploit","Third Party Advisory","VDB Entry"],"title":"Apache Struts 2 - Namespace Redirect OGNL Injection (Metasploit) - Multiple remote Exploit","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0012","name":"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0012","refsource":"CONFIRM","tags":["Third Party Advisory"],"title":"Security Advisory","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://packetstormsecurity.com/files/172830/Apache-Struts-Remote-Code-Execution.html","name":"http://packetstormsecurity.com/files/172830/Apache-Struts-Remote-Code-Execution.html","refsource":"MISC","tags":[],"title":"Apache Struts Remote Code Execution ≈ Packet Storm","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/hook-s3c/CVE-2018-11776-Python-PoC","name":"https://github.com/hook-s3c/CVE-2018-11776-Python-PoC","refsource":"MISC","tags":["Exploit","Third Party Advisory"],"title":"GitHub - hook-s3c/CVE-2018-11776-Python-PoC: Working Python test and PoC for CVE-2018-11776, includes Docker lab","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.oracle.com/security-alerts/cpujul2020.html","name":"https://www.oracle.com/security-alerts/cpujul2020.html","refsource":"MISC","tags":[],"title":"Oracle Critical Patch Update Advisory - July 2020","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E","name":"[announce] 20200131 Apache Software Foundation Security Report: 2019","refsource":"MLIST","tags":[],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.oracle.com/technetwork/security-advisory/alert-cve-2018-11776-5072787.html","name":"http://www.oracle.com/technetwork/security-advisory/alert-cve-2018-11776-5072787.html","refsource":"CONFIRM","tags":["Patch","Third Party Advisory"],"title":"Oracle Security Alert CVE-2018-11776","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-005.txt","name":"http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-005.txt","refsource":"CONFIRM","tags":["Mailing List","Third Party Advisory"],"title":"","mime":"text/plain","httpstatus":"200","archivestatus":"200"},{"url":"https://lgtm.com/blog/apache_struts_CVE-2018-11776","name":"https://lgtm.com/blog/apache_struts_CVE-2018-11776","refsource":"MISC","tags":["Exploit","Third Party Advisory"],"title":"CVE-2018-11776: How to find 5 RCEs in Apache Struts with Semmle QL - Blog - LGTM","mime":"text/html","httpstatus":"404","archivestatus":"200"},{"url":"https://cwiki.apache.org/confluence/display/WW/S2-057","name":"https://cwiki.apache.org/confluence/display/WW/S2-057","refsource":"CONFIRM","tags":["Issue Tracking","Third Party Advisory"],"title":"S2-057 - DEPRECATED: Apache Struts 2 Documentation - Apache Software Foundation","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securitytracker.com/id/1041888","name":"1041888","refsource":"SECTRACK","tags":["Third Party Advisory","VDB Entry"],"title":"MySQL Multiple Flaws Let Remote Users Gain Elevated Privileges, Remote Authenticated Users Access and Modify Data, and Remote and Local Users Deny Service - SecurityTracker","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E","name":"[announce] 20200131 Apache Software Foundation Security Report: 2019","refsource":"","tags":[],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html","name":"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html","refsource":"CONFIRM","tags":["Patch","Third Party Advisory"],"title":"Oracle Critical Patch Update - January 2019","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.netapp.com/advisory/ntap-20181018-0002/","name":"https://security.netapp.com/advisory/ntap-20181018-0002/","refsource":"CONFIRM","tags":["Third Party Advisory"],"title":"October 2018 MySQL Vulnerabilities in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.exploit-db.com/exploits/45260/","name":"45260","refsource":"EXPLOIT-DB","tags":["Exploit","Third Party Advisory","VDB Entry"],"title":"Apache Struts 2.3 < 2.3.34 /  2.5 < 2.5.16 - Remote Code Execution (1)","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securitytracker.com/id/1041547","name":"1041547","refsource":"SECTRACK","tags":["Third Party Advisory","VDB Entry"],"title":"Apache Struts Undefined Namespace Processing Lets Remote Users Execute Arbitrary Code on the Target System - SecurityTracker","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html","name":"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html","refsource":"CONFIRM","tags":["Patch","Third Party Advisory"],"title":"CPU Oct 2018","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/105125","name":"105125","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"Apache Struts CVE-2018-11776 Remote Code Execution Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://www.exploit-db.com/exploits/45262/","name":"45262","refsource":"EXPLOIT-DB","tags":["Exploit","Third Party Advisory","VDB Entry"],"title":"Apache Struts 2.3 < 2.3.34 /  2.5 < 2.5.16 - Remote Code Execution (2)","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.netapp.com/advisory/ntap-20180822-0001/","name":"https://security.netapp.com/advisory/ntap-20180822-0001/","refsource":"CONFIRM","tags":["Third Party Advisory"],"title":"CVE-2018-11776 Apache Struts Vulnerability in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-11776","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-11776","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2018","cve_id":"11776","vulnerable":"1","versionEndIncluding":"2.3.34","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"struts","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"11776","vulnerable":"1","versionEndIncluding":"2.5.16","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"struts","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":{"cve_year":"2018","cve_id":"11776","cve":"CVE-2018-11776","vendorProject":"Apache","product":"Struts","vulnerabilityName":"Apache Struts Remote Code Execution Vulnerability","dateAdded":"2021-11-03","shortDescription":"Apache Struts contains a vulnerability that allows for remote code execution under two circumstances. One, where the alwaysSelectFullNamespace option is true and the value isn't set for a result defined in underlying configurations and in same time, its upper package configuration have no or wildcard namespace.  Or, using URL tag which doesn't have value and action set and in same time, its upper package configuration have no or wildcard namespace.","requiredAction":"Apply updates per vendor instructions.","dueDate":"2022-05-03","knownRansomwareCampaignUse":"Unknown","notes":"https://nvd.nist.gov/vuln/detail/CVE-2018-11776","cwes":"CWE-20","catalogVersion":"2026.04.21","updated_at":"2026-04-21 13:32:18"},"epss":{"cve_year":"2018","cve_id":"11776","cve":"CVE-2018-11776","epss":"0.944310000","percentile":"0.999840000","score_date":"2026-04-21","updated_at":"2026-04-22 00:07:42"},"legacy_qids":[{"cve":"CVE-2018-11776","qid":"981120","title":"Java (maven) Security Update for org.apache.struts:struts2-core (GHSA-cr6j-3jp9-rw65)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security@apache.org","DATE_PUBLIC":"2018-08-22T00:00:00","ID":"CVE-2018-11776","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Apache Struts","version":{"version_data":[{"version_value":"2.3 to 2.3.34"},{"version_value":"2.5 to 2.5.16"}]}}]},"vendor_name":"Apache Software Foundation"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Remote Code Execution"}]}]},"references":{"reference_data":[{"name":"1041888","refsource":"SECTRACK","url":"http://www.securitytracker.com/id/1041888"},{"name":"45367","refsource":"EXPLOIT-DB","url":"https://www.exploit-db.com/exploits/45367/"},{"name":"45262","refsource":"EXPLOIT-DB","url":"https://www.exploit-db.com/exploits/45262/"},{"name":"105125","refsource":"BID","url":"http://www.securityfocus.com/bid/105125"},{"name":"1041547","refsource":"SECTRACK","url":"http://www.securitytracker.com/id/1041547"},{"name":"45260","refsource":"EXPLOIT-DB","url":"https://www.exploit-db.com/exploits/45260/"},{"refsource":"MLIST","name":"[announce] 20200131 Apache Software Foundation Security Report: 2019","url":"https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E"},{"name":"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html","refsource":"CONFIRM","url":"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"},{"url":"https://www.oracle.com/security-alerts/cpujul2020.html","refsource":"MISC","name":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"name":"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html","refsource":"CONFIRM","url":"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"},{"name":"https://security.netapp.com/advisory/ntap-20181018-0002/","refsource":"CONFIRM","url":"https://security.netapp.com/advisory/ntap-20181018-0002/"},{"name":"https://cwiki.apache.org/confluence/display/WW/S2-057","refsource":"CONFIRM","url":"https://cwiki.apache.org/confluence/display/WW/S2-057"},{"name":"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0012","refsource":"CONFIRM","url":"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0012"},{"name":"http://www.oracle.com/technetwork/security-advisory/alert-cve-2018-11776-5072787.html","refsource":"CONFIRM","url":"http://www.oracle.com/technetwork/security-advisory/alert-cve-2018-11776-5072787.html"},{"name":"https://lgtm.com/blog/apache_struts_CVE-2018-11776","refsource":"MISC","url":"https://lgtm.com/blog/apache_struts_CVE-2018-11776"},{"name":"https://security.netapp.com/advisory/ntap-20180822-0001/","refsource":"CONFIRM","url":"https://security.netapp.com/advisory/ntap-20180822-0001/"},{"name":"http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-005.txt","refsource":"CONFIRM","url":"http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-005.txt"},{"name":"https://github.com/hook-s3c/CVE-2018-11776-Python-PoC","refsource":"MISC","url":"https://github.com/hook-s3c/CVE-2018-11776-Python-PoC"},{"refsource":"MISC","name":"http://packetstormsecurity.com/files/172830/Apache-Struts-Remote-Code-Execution.html","url":"http://packetstormsecurity.com/files/172830/Apache-Struts-Remote-Code-Execution.html"}]}},"nvd":{"publishedDate":"2018-08-22 13:29:00","lastModifiedDate":"2023-11-07 02:51:00","problem_types":["CWE-20"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH"},"exploitabilityScore":2.2,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:C/I:C/A:C","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"COMPLETE","integrityImpact":"COMPLETE","availabilityImpact":"COMPLETE","baseScore":9.3},"severity":"HIGH","exploitabilityScore":8.6,"impactScore":10,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*","versionStartIncluding":"2.5.0","versionEndIncluding":"2.5.16","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*","versionStartIncluding":"2.3.1","versionEndIncluding":"2.3.34","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2018","CveId":"11776","Ordinal":"128269","Title":"CVE-2018-11776","CVE":"CVE-2018-11776","Year":"2018"},"notes":[{"CveYear":"2018","CveId":"11776","Ordinal":"1","NoteData":"Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace.","Type":"Description","Title":null},{"CveYear":"2018","CveId":"11776","Ordinal":"2","NoteData":"2018-08-22","Type":"Other","Title":"Published"},{"CveYear":"2018","CveId":"11776","Ordinal":"3","NoteData":"2020-07-14","Type":"Other","Title":"Modified"}]}}}