CVE-2018-11776

Warnung

Exploit

EPSS 94.43%
Veröffentlicht 22.08.2018 13:29:00
Zuletzt bearbeitet 13.03.2025 21:01:25
Quelle security@apache.org
Teams Watchlist Login
Unerledigt Login

Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace.

Betroffene Produkte Warnungen 1 Metriken 4 CWE 0 Referenzen 22

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Struts Version >= 2.0.4 < 2.3.35

Apache ≫ Struts Version >= 2.5.0 < 2.5.17

Netapp ≫ Active Iq Unified Manager SwPlatformwindows Version >= 7.3

Netapp ≫ Active Iq Unified Manager SwPlatformvmware_vsphere Version >= 9.5

Netapp ≫ Oncommand Insight Version-

Netapp ≫ Oncommand Workflow Automation Version-

Netapp ≫ Snapcenter Version-

Oracle ≫ Communications Policy Management Version < 12.5.0

Oracle ≫ Enterprise Manager Base Platform Version13.3.0.0

Oracle ≫ Enterprise Manager Base Platform Version13.4.0.0

Oracle ≫ Mysql Enterprise Monitor Version <= 3.4.9.4237

Oracle ≫ Mysql Enterprise Monitor Version >= 4.0.0 <= 4.0.6.5281

Oracle ≫ Mysql Enterprise Monitor Version >= 8.0.0 <= 8.0.2.8191

03.11.2021: CISA Known Exploited Vulnerabilities (KEV) Catalog

Apache Struts Remote Code Execution Vulnerability

Schwachstelle

Apache Struts contains a vulnerability that allows for remote code execution under two circumstances. One, where the alwaysSelectFullNamespace option is true and the value isn't set for a result defined in underlying configurations and in same time, its upper package configuration have no or wildcard namespace. Or, using URL tag which doesn't have value and action set and in same time, its upper package configuration have no or wildcard namespace.

Beschreibung

Apply updates per vendor instructions.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	94.43%	1

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.1	2.2	5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	9.3	8.6	10	AV:N/AC:M/Au:N/C:C/I:C/A:C
134c704f-9b21-4f2e-91b3-4a467353bcc0	8.1	2.2	5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H