CVE-2016-3087

Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an ! (exclamation mark) operator to the REST Plugin.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 99%
VendorProductVersion
apachestruts
2.3.20
apachestruts
2.3.20.1
apachestruts
2.3.24
apachestruts
2.3.24.1
apachestruts
2.3.28
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libstruts1.2-java
xenial
dne
wily
dne
trusty
dne
precise
not-affected
Common Weakness Enumeration
References
http://struts.apache.org/docs/s2-033.html
http://www-01.ibm.com/support/docview.wss?uid=swg21987854
http://www.securityfocus.com/bid/90960
http://www.securitytracker.com/id/1036017
https://www.exploit-db.com/exploits/39919/
http://struts.apache.org/docs/s2-033.html
http://www-01.ibm.com/support/docview.wss?uid=swg21987854
http://www.securityfocus.com/bid/90960
http://www.securitytracker.com/id/1036017
https://www.exploit-db.com/exploits/39919/