-
Notifications
You must be signed in to change notification settings - Fork 0
Apache Struts Multiple Vulnerabilities
Fabien edited this page May 22, 2024
·
1 revision
Apache Struts is an open-source framework for developing Java EE web applications. Over the years, it has had several security vulnerabilities that could allow remote code execution, denial of service, or information disclosure if exploited.
- Severity: Critical
- Remote Code Execution (RCE): Attackers can execute arbitrary code on the server or client-side, potentially taking full control of affected systems.
- Denial of Service (DoS): Certain vulnerabilities can be exploited to make the application or server unresponsive, effectively denying service to legitimate users.
- Information Disclosure: Exploits may allow unauthorized access to sensitive data, which can lead to further security breaches.
- Inadequate Input Validation: Many vulnerabilities in Struts arise from the framework not properly sanitizing inputs that are used in critical processing.
- Outdated Libraries: Utilizing older, unpatched versions of Struts or its dependencies that contain known vulnerabilities.
- Misconfiguration: Incorrectly configured Struts settings can expose applications to higher risks of attacks.
Strategies for Mitigating Struts Vulnerabilities:
- Regular Updates and Patch Management:
- Always keep Apache Struts and its dependencies up to date. Regularly check for and apply security patches as soon as they are released.
- Enhanced Input Validation:
- Implement rigorous input validation and sanitization processes to prevent malicious data from affecting the application logic.
- Security Audits and Testing:
- Conduct regular security audits and penetration testing to identify and remediate potential vulnerabilities.
- Isolate Struts Applications:
- Run applications that use Struts in isolated environments to limit the impact of a potential breach.
- Apache Struts 2.5.0 < 2.5.33 / 6.0.0 < 6.3.0.2 Remote Code Execution (S2-066)
- Apache Struts 2.0.0 < 6.1.2.1 Denial of Service (S2-063)
N/A
- Home - Return to this main page.
- Explore detailed vulnerability categories and entries via the sidebar.
- Microsoft Teams < 1.6.0.11166 Information Disclosure↗
- Microsoft Teams < 1.6.0.18681 RCE↗
- Microsoft Windows Unquoted Service Path Enumeration↗
- Microsoft XML Parser (MSXML) and XML Core Services Unsupported↗
- Security Updates for Microsoft .NET Framework↗
- Security Updates for Microsoft Office Products C2R↗
- Security Updates for Microsoft SQL Server↗
- Windows Defender Antimalware/Antivirus Signature Definition Check↗
- Windows Speculative Execution Configuration Check↗
- WinVerifyTrust Signature Validation CVE-2013-3900 Mitigation↗
- SSL Certificate Cannot Be Trusted↗
- SSL Certificate Chain Contains RSA Keys Less Than 2048 bits↗
- SSL Certificate with Wrong Hostname↗
- SSL Medium Strength Cipher Suites Supported (SWEET32)↗
- SSL Self-Signed Certificate↗
- SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam)↗
- TLS Version 1.0 Protocol Detection↗
- TLS Version 1.1 Protocol Deprecated↗
- Apache 2.4.x < 2.4.58 Multiple Vulnerabilities↗
- Apache Log4j Vulnerabilities↗
- Apache Solr Unauthenticated Access Information Disclosure↗
- Apache Struts Vulnerabilities↗
- Apache Tomcat Vulnerabilities↗
- Amazon Corretto Java 11.x < 11.0.19.7.1 Multiple Vulnerabilities↗
- OpenJDK Vulnerabilities↗
- Oracle Java SE Vulnerabilities↗
- 7-Zip < 23.00 Multiple Vulnerabilities↗
- Adobe Acrobat Vulnerabilities↗
- AMQP Cleartext Authentication↗
- Artifex Ghostscript < 10.2.1 DoS↗
- Chargen UDP Service Remote DoS↗
- Curl 7.84 <= 8.2.1 Header DoS (CVE-2023-38039)↗
- Echo Service Detection↗
- HSTS Missing From HTTPS Server (RFC 6797)↗
- HTTP TRACE / TRACK Methods Allowed↗
- Insecure Windows Service Permissions↗
- Keepass < 2.54 Information disclosure↗
- Notepad++ < 8.5.7 Multiple Buffer Overflow Vulnerabilities↗
- Quote of the Day (QOTD) Service Detection↗
- VMware Tools 10.3.x / 11.x / 12.x < 12.3.5 Token Bypass↗
- X Server Detection↗
- Template -> Use this template for new vulnerabilities