In the Convention plugin in Apache Struts 2.3.x before 2.3.31, and 2.5.x before 2.5.5, it is possible to prepare a special URL which will be used for path traversal and execution of arbitrary code on server side.
References
Link | Resource |
---|---|
https://struts.apache.org/docs/s2-042.html | Vendor Advisory |
http://www.securityfocus.com/bid/93773 | Third Party Advisory VDB Entry |
https://security.netapp.com/advisory/ntap-20180629-0003/ |
Configurations
Configuration 1 (hide)
|
Information
Published : 2017-09-20 10:29
Updated : 2019-08-12 14:15
NVD link : CVE-2016-6795
Mitre link : CVE-2016-6795
JSON object : View
CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Products Affected
apache
- struts