Software Detail
Title
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
Number of items displayed
Struts Number Of NVD 84 CRITICAL 15 HIGH 34 MEDIUM 34 LOW 1
URL https://struts.apache.org
Explanation It is an MVC framework for web applications for Java developed by the Apache Software Foundation.
It is open source and can be used free of charge.

It has been found several times to have highly urgent vulnerabilities such as the ability to execute commands remotely, and incidents such as information leaks have occurred by exploiting these vulnerabilities.

The development of Struts1 started in early 2000, and quite a number of companies have been using it.

Struts1 is no longer supported.
Tag
  • Apache License v2.0
  • Java
Add Information URL
No Type Name URL
1 https://struts.apache.org/struts1eol-announcement.html
2 https://struts.apache.org/download.cgi
3 https://struts.apache.org/releases.html
4 https://github.com/apache/struts1
5 https://github.com/apache/struts
6 https://cwiki.apache.org/confluence/display/WW/Security+Bulletins
7 https://struts.apache.org/struts23-eol-announcement
List Of Product  [ Click to show release history and vulnerability information ]
No Name Latest Version Release date Initial release Normal Support Security Support
Service Pack Support		 Extended
for a fee		 Critical High Medium Low
1 Struts 6 6.7.0 Nov. 17, 2024 June 6, 2022 1 1 1 0
2 Struts 2.5 2.5.33 April 4, 2022 May 5, 2016 Oct. 30, 2023 April 30, 2024 7 9 5 0
3 Struts 2.3 2.3.37 Dec. 30, 2018 Dec. 9, 2011 Nov. 14, 2018 April 14, 2019 14 26 19 0
4 Struts 2.2 2.2.3.1 Sept. 7, 2011 June 29, 2010 Dec. 18, 2011 10 21 20 1
5 Struts 2.1 2.1.8.1 Nov. 11, 2009 Oct. 29, 2007 Dec. 18, 2011 9 21 21 1
6 Struts 2.0 2.0.15 Nov. 17, 2008 Sept. 25, 2006 Dec. 18, 2011 9 20 23 1
7 Struts 1 1.3.10 Dec. 7, 2014 May 1, 2000 April 5, 2013 0 7 5 0
NVD Vulnerability Information
  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW
No CVSS3
CVSS2		 Level
Attach Vector		 Title CWE CVE cpe23Uri or higher or less more than less than Update date
Published date		 Show Affected Exploit
PoC
Search
1 9.8
- 		CRITICAL
Network 		An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Us… - CVE-2023-50164 cpe:2.3:a:apache:struts:*:* 6.0.0
2.0.0

6.3.0.2
2.5.33 		2024-11-21 17:36
2023-12-7 		Show GitHub Exploit DB Packet Storm
2 7.5
- 		HIGH
Network 		When a Multipart request is performed but some of the fields exceed the maxStringLength  limit, the upload files will remain in struts.multipart.saveDir  even if the request has been denied. Users ar… CWE-459
 Incomplete Cleanup 		CVE-2023-41835 cpe:2.3:a:apache:struts:*:* 2.0.0
6.1.2.1

2.5.32
6.3.0.1 		2024-11-21 17:21
2023-12-5 		Show GitHub Exploit DB Packet Storm
3 7.5
- 		HIGH
Network 		Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.… - CVE-2023-34396 cpe:2.3:a:apache:struts:*:* 6.0.0

6.1.2.1
2.5.31 		2024-11-21 17:07
2023-06-14 		Show GitHub Exploit DB Packet Storm
4 6.5
- 		MEDIUM
Network 		Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.… - CVE-2023-34149 cpe:2.3:a:apache:struts:*:* 6.0.0

6.1.2.1
2.5.31 		2024-11-21 17:06
2023-06-14 		Show GitHub Exploit DB Packet Storm
5 9.8
7.5 		CRITICAL
Network 		The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evalua… CWE-917
 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') 		CVE-2021-31805 cpe:2.3:a:apache:struts:*:* 2.0.0 2.5.29 2024-11-21 15:06
2022-04-13 		Show GitHub Exploit DB Packet Storm
6 9.8
7.5 		CRITICAL
Network 		Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25. CWE-917
 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') 		CVE-2020-17530 cpe:2.3:a:apache:struts:*:* 2.0.0 2.5.30 2024-11-21 14:08
2020-12-11 		Show GitHub Exploit DB Packet Storm
7 7.5
5.0 		HIGH
Network 		An access permission override in Apache Struts 2.0.0 to 2.5.20 may cause a Denial of Service when performing a file upload. CWE-281
 Improper Preservation of Permissions 		CVE-2019-0233 cpe:2.3:a:apache:struts:*:* 2.0.0 2.5.20 2024-11-21 13:16
2020-09-15 		Show GitHub Exploit DB Packet Storm
8 9.8
7.5 		CRITICAL
Network 		Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. CWE-1321
 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') 		CVE-2019-0230 cpe:2.3:a:apache:struts:*:* 2.0.0 2.5.20 2024-11-21 13:16
2020-09-15 		Show GitHub Exploit DB Packet Storm
9 6.1
4.3 		MEDIUM
Network 		Apache Struts before 2.3.20 has a cross-site scripting (XSS) vulnerability. CWE-79
Cross-site Scripting 		CVE-2015-2992 cpe:2.3:a:apache:struts:*:* 2.0.0 2.3.20 2024-11-21 11:28
2020-02-28 		Show GitHub Exploit DB Packet Storm
10 8.8
6.5 		HIGH
Network 		A local code execution issue exists in Apache Struts2 when processing malformed XSLT files, which could let a malicious user upload and execute arbitrary files. CWE-434
 Unrestricted Upload of File with Dangerous Type  		CVE-2012-1592 cpe:2.3:a:apache:struts:2.0.0:* 2024-11-21 10:37
2019-12-6 		Show GitHub Exploit DB Packet Storm