CVE-2016-3087 — Apache Struts vulnerable to arbitrary remote code execution due to improper inpu

Description

Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an `!` (exclamation mark) operator to the REST Plugin.

How to fix CVE-2016-3087

To remediate CVE-2016-3087, upgrade the affected package to a fixed version below.

—upgrade to 2.3.20.3 or later

Is CVE-2016-3087 being exploited?

Likely — EPSS is 87.0%, placing CVE-2016-3087 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (1)

>= 2.3.19, < 2.3.20.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-3087
PATCHgithub.com/apache/struts
WEBgithub.com/apache/struts/commit/6bd694b7980494c12d49ca1bf39f12aec3e03e2f
WEBstruts.apache.org/docs/s2-033.html
WEB