CVE-2016-3081 — Apache Struts RCE Vulnerability

Description

Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.

How to fix CVE-2016-3081

To remediate CVE-2016-3081, upgrade the affected package to a fixed version below.

Maven/org.apache.struts:struts2-core—upgrade to 2.3.20.3 or later

Is CVE-2016-3081 being exploited?

Likely — EPSS is 94.2%, placing CVE-2016-3081 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (1)

>= 2.3.19, < 2.3.20.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.1	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References (13)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-3081
PATCHgithub.com/apache/struts
WEBpacketstormsecurity.com/files/136856/Apache-Struts-2.3.28-Dynamic-Method-Invocation-Remote-Code-Execution.html
WEBstruts.apache.org/docs/s2-032.html