Software Detail
Title
CVE
CRITICAL
HIGH
MEDIUM
LOW
CWE
Number of items displayed
Struts Number Of NVD 84 CRITICAL 15 HIGH 34 MEDIUM 34 LOW 1
URL https://struts.apache.org
Explanation It is an MVC framework for web applications for Java developed by the Apache Software Foundation.
It is open source and can be used free of charge.

It has been found several times to have highly urgent vulnerabilities such as the ability to execute commands remotely, and incidents such as information leaks have occurred by exploiting these vulnerabilities.

The development of Struts1 started in early 2000, and quite a number of companies have been using it.

Struts1 is no longer supported.
Tag
  • Apache License v2.0
  • Java
Add Information URL
No Type Name URL
1 https://struts.apache.org/struts1eol-announcement.html
2 https://struts.apache.org/download.cgi
3 https://struts.apache.org/releases.html
4 https://github.com/apache/struts1
5 https://github.com/apache/struts
6 https://cwiki.apache.org/confluence/display/WW/Security+Bulletins
7 https://struts.apache.org/struts23-eol-announcement
List Of Product  [ Click to show release history and vulnerability information ]
No Name Latest Version Release date Initial release Normal Support Security Support
Service Pack Support		 Extended
for a fee		 Critical High Medium Low
11 Struts 6 6.7.0 Nov. 17, 2024 June 6, 2022 1 1 1 0
12 Struts 2.5 2.5.33 April 4, 2022 May 5, 2016 Oct. 30, 2023 April 30, 2024 7 9 5 0
13 Struts 2.3 2.3.37 Dec. 30, 2018 Dec. 9, 2011 Nov. 14, 2018 April 14, 2019 14 26 19 0
14 Struts 2.2 2.2.3.1 Sept. 7, 2011 June 29, 2010 Dec. 18, 2011 10 21 20 1
15 Struts 2.1 2.1.8.1 Nov. 11, 2009 Oct. 29, 2007 Dec. 18, 2011 9 21 21 1
16 Struts 2.0 2.0.15 Nov. 17, 2008 Sept. 25, 2006 Dec. 18, 2011 9 20 23 1
17 Struts 1 1.3.10 Dec. 7, 2014 May 1, 2000 April 5, 2013 0 7 5 0
NVD Vulnerability Information
  • CRITICAL
  • HIGH
  • MEDIUM
  • LOW
No CVSS3
CVSS2		 Level
Attach Vector		 Title CWE CVE cpe23Uri or higher or less more than less than Update date
Published date		 Show Affected Exploit
PoC
Search
11 9.8
7.5 		CRITICAL
Network 		Apache Struts before 2.3.1.2 allows remote attackers to bypass security protections in the ParameterInterceptor class and execute arbitrary commands. CWE-732
 Incorrect Permission Assignment for Critical Resource 		CVE-2011-3923 cpe:2.3:a:apache:struts:*:* 2.0.0 2.3.1.2 2024-11-21 10:31
2019-11-1 		Show GitHub Exploit DB Packet Storm
12 8.1
9.3 		HIGH
Network 		Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: … NVD-CWE-noinfo
CVE-2018-11776 cpe:2.3:a:apache:struts:*:* 2.0.4
2.5.0

2.3.35
2.5.17 		2024-11-21 12:44
2018-08-22 		Show GitHub Exploit DB Packet Storm
13 7.5
5.0 		HIGH
Network 		The Apache Struts REST Plugin is using XStream library which is vulnerable and allow perform a DoS attack when using a malicious request with specially crafted XML payload. Upgrade to the Apache Stru… NVD-CWE-noinfo
CVE-2018-1327 cpe:2.3:a:apache:struts:*:* 2.1.1 2.5.14.1 2024-11-21 12:59
2018-03-28 		Show GitHub Exploit DB Packet Storm
14 6.2
5.0 		MEDIUM
Local 		In Apache Struts 2.5 to 2.5.14, the REST Plugin is using an outdated JSON-lib library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted JSON payload. CWE-20
 Improper Input Validation  		CVE-2017-15707 cpe:2.3:a:apache:struts:*:* 2.5 2.5.14 2024-11-21 12:15
2017-12-2 		Show GitHub Exploit DB Packet Storm
15 8.8
6.5 		HIGH
Network 		The TextParseUtil.translateVariables method in Apache Struts 2.x before 2.3.20 allows remote attackers to execute arbitrary code via a crafted OGNL expression with ANTLR tooling. CWE-20
 Improper Input Validation  		CVE-2016-3090 cpe:2.3:a:apache:struts:2.3.9:*
cpe:2.3:a:apache:struts:2.3.8:*
cpe:2.3:a:apache:struts:2.3.7:*
cpe:2.3:a:apac… 		2024-11-21 11:49
2017-10-30 		Show GitHub Exploit DB Packet Storm
16 8.8
9.0 		HIGH
Network 		Apache Struts 2.x before 2.3.29 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. NOTE: this vulnerability exists because … CWE-20
 Improper Input Validation  		CVE-2016-4461 cpe:2.3:a:apache:struts:*:* 2.0.0 2.3.29 2024-11-21 11:52
2017-10-17 		Show GitHub Exploit DB Packet Storm
17 6.1
4.3 		MEDIUM
Network 		Cross-site scripting (XSS) vulnerability in Apache Struts before 2.3.20. CWE-79
Cross-site Scripting 		CVE-2015-5169 cpe:2.3:a:apache:struts:*:* 2.0.0 2.3.16.3 2024-11-21 11:32
2017-09-26 		Show GitHub Exploit DB Packet Storm
18 7.5
5.0 		HIGH
Network 		In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which … CWE-20
 Improper Input Validation  		CVE-2017-9804 cpe:2.3:a:apache:struts:2.5:beta3
cpe:2.3:a:apache:struts:2.5:beta2
cpe:2.3:a:apache:struts:2.5:beta1
cpe:2.3:… 		2024-11-21 12:36
2017-09-21 		Show GitHub Exploit DB Packet Storm
19 7.5
5.0 		HIGH
Network 		The REST Plugin in Apache Struts 2.1.x, 2.3.7 through 2.3.33 and 2.5 through 2.5.12 is using an outdated XStream library which is vulnerable and allow perform a DoS attack using malicious request wit… CWE-20
 Improper Input Validation  		CVE-2017-9793 cpe:2.3:a:apache:struts:2.5:beta3
cpe:2.3:a:apache:struts:2.5:beta2
cpe:2.3:a:apache:struts:2.5:beta1
cpe:2.3:… 		2024-11-21 12:36
2017-09-21 		Show GitHub Exploit DB Packet Storm
20 9.8
7.5 		CRITICAL
Network 		In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack. CWE-20
 Improper Input Validation  		CVE-2017-12611 cpe:2.3:a:apache:struts:2.5:beta3
cpe:2.3:a:apache:struts:2.5:beta2
cpe:2.3:a:apache:struts:2.5:beta1
cpe:2.3:… 		2024-11-21 12:09
2017-09-21 		Show GitHub Exploit DB Packet Storm