Home > Vulnerability Database > CVE-2016-3081

Mend.io Vulnerability Database

CVE-2016-3081

Good to know:

Date: April 26, 2016

Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.

Language: Java

Severity Score

8.1

Related Resources (18)

Url: http://packetstormsecurity.com/files/136856/Apache-Struts-2.3.28-Dynamic-Method-Invocation-Remote-Code-Execution.html

Url: http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20160527-01-struts2-en

Url: http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html

Url: https://web.archive.org/web/20210225192113/http://www.securityfocus.com/bid/87327

Url: https://web.archive.org/web/20210123152457/http://www.securityfocus.com/bid/91787

Url: http://www.securityfocus.com/bid/91787

Url: http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html

Url: http://www.rapid7.com/db/modules/exploit/linux/http/struts_dmi_exec

Url: https://nvd.nist.gov/vuln/detail/CVE-2016-3081

Url: http://www.securityfocus.com/bid/87327

Url: https://www.exploit-db.com/exploits/39756/

Url: https://github.com/apache/struts

Url: http://www.securitytracker.com/id/1035665

Url: https://www.exploit-db.com/exploits/39756

Url: http://www.rapid7.com/db/modules/exploit/multi/http/struts_dmi_exec

Url: https://struts.apache.org/docs/s2-032.html

Url: https://web.archive.org/web/20210226011418/http://www.securitytracker.com/id/1035665

Url: https://www.mend.io/vulnerability-database/CVE-2016-3081

Severity Score

8.1

Weakness Type (CWE)

Improper Neutralization of Special Elements used in a Command ('Command Injection')

CWE-77

Top Fix

Upgrade Version

Upgrade to version org.apache.struts:struts2-core:2.3.20.3;org.apache.struts:struts2-core:2.3.24.3;org.apache.struts:struts2-core:2.3.28.1

Learn More

CVSS v3.1

Base Score:	8.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

CVSS v2

Base Score:	9.3
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	COMPLETE
Integrity (I):	COMPLETE
Availability (A):	COMPLETE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2016-3081

Good to know:

Date: April 26, 2016

Language: Java

Severity Score

Related Resources (18)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?