CVE-2016-0785 — Apache Struts RCE Vulnerability

Description

Apache Struts 2.x before 2.3.20.3, 2.3.24.3, and 2.3.28 allows remote attackers to execute arbitrary code via a `%{}` sequence in a tag attribute, aka forced double OGNL evaluation.

How to fix CVE-2016-0785

To remediate CVE-2016-0785, upgrade the affected package to a fixed version below.

Maven/org.apache.struts:struts2-core—upgrade to 2.3.20.3 or later

Is CVE-2016-0785 being exploited?

Moderate — EPSS is 13.4%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

>= 2.0.0, < 2.3.20.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-0785
PATCHgithub.com/apache/struts
WEBgithub.com/apache/struts/commit/15857a69e7baf3675804495a5954cd0756ac8364
WEBstruts.apache.org/docs/s2-029.html
WEB