Version 1.2.9
struts
No description available.
Install Instructions
mvn install struts
Language Java
Package URL (purl) pkg:maven/struts:struts@1.2.9
Find struts vulnerabilities in your supply chain.
struts Vulnerabilities
Sort by
CVE (Latest)
CVE (Latest)
-
CVE (Latest)
-
CVE (Oldest)
-
CVSS Score (Highest)
-
CVSS Score (Lowest)
CVE  |
CVSS Score |
CWE(s) |
EPSS Score |
EPSS % |
Impacted Versions |
|---|---|---|---|---|---|
| CVE-2005-3745 | Medium 4.3 | 0.00297 | 0.68926 |
|
|
| CVE-2006-1546 | High 7.5 | 0.00775 | 0.81141 |
|
|
| CVE-2006-1548 | Medium 4.3 | CWE-79 | 0.01459 | 0.86419 |
|
| CVE-2008-2025 | Medium 4.3 | CWE-79 | 0.00935 | 0.82802 |
|
| CVE-2012-1007 | Medium 4.3 | CWE-79 | 0.00543 | 0.77181 |
|
| CVE-2014-0114 | High 7.5 | CWE-20 | 0.97274 | 0.99931 |
|
| CVE-2015-0899 | High 7.5 | CWE-20 | 0.89936 | 0.99042 |
|
| CVE-2016-1181 | High 8.1 | CWE-400 | 0.0717 | 0.93955 |
|
| CVE-2016-1182 | High 8.2 | CWE-20 | 0.57488 | 0.97839 |
|
| CVE-2017-9787 | High 7.5 | CWE-284 | 0.02164 | 0.88991 |
|
| CVE-2017-9791 | High 9.8 | CWE-20 | 0.97508 | 0.99991 |
|
| CVE-2017-9793 | High 7.5 | CWE-20 | 0.9133 | 0.9913 |
|
| CVE-2017-9805 | High 8.1 | CWE-502 | 0.97393 | 0.99963 |
|
| CVE-2018-1327 | High 7.5 | CWE-20 | 0.00862 | 0.82076 |
|
| CVE-2006-1547 | High 7.5 | CWE-189 | 0.12144 | 0.95354 |
|
struts Vulnerability Remediation Guidance
| CVE | Description | Full list of Impacted Versions | Fix |
|---|---|---|---|
| CVE-2018-1327 | The Apache Struts REST Plugin is using XStream library which is vulnerable and allow perform a DoS attack when using a malicious request with specially crafted XML payload. Upgrade to the Apache Struts version 2.5.16 and switch to an optional Jackson XML handler as described here http://struts.apache.org/plugins/rest/#custom-contenttypehandlers. Another option is to implement a custom XML handler based on the Jackson XML handler from the Apache Struts 2.5.16. | 1.2.4, 1.2.7, 1.2.2, 1.0.2, 1.2.8, 1.2.9, 1.1, 1.1-rc1 (Show all) | Patch → NO_SAFE_VERSION |
| CVE-2017-9805 | The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads. | 1.2.4, 1.2.7, 1.2.2, 1.0.2, 1.2.8, 1.2.9, 1.1, 1.1-rc1 (Show all) | Patch → NO_SAFE_VERSION |
| CVE-2017-9793 | The REST Plugin in Apache Struts 2.1.x, 2.3.7 through 2.3.33 and 2.5 through 2.5.12 is using an outdated XStream library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted XML payload. | 1.2.4, 1.2.7, 1.2.2, 1.0.2, 1.2.8, 1.2.9, 1.1, 1.1-rc1 (Show all) | Patch → NO_SAFE_VERSION |
| CVE-2017-9791 | The Struts 1 plugin in Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage. | 1.2.4, 1.2.7, 1.2.2, 1.0.2, 1.2.8, 1.2.9, 1.1, 1.1-rc1 (Show all) | Patch → NO_SAFE_VERSION |
| CVE-2017-9787 | When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack. Solution is to upgrade to Apache Struts version 2.5.12 or 2.3.33. | 1.2.4, 1.2.7, 1.2.2, 1.0.2, 1.2.8, 1.2.9, 1.1, 1.1-rc1 (Show all) | Patch → NO_SAFE_VERSION |
| CVE-2016-1182 | ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899. | 1.2.4, 1.2.7, 1.2.2, 1.0.2, 1.2.8, 1.2.9, 1.1, 1.1-rc1 (Show all) | Patch → NO_SAFE_VERSION |
| CVE-2016-1181 | ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of service (unexpected memory access) via a multipart request, a related issue to CVE-2015-0899. | 1.2.4, 1.2.7, 1.2.2, 1.0.2, 1.2.8, 1.2.9, 1.1, 1.1-rc1 (Show all) | Patch → NO_SAFE_VERSION |
| CVE-2015-0899 | The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter. | 1.2.4, 1.2.7, 1.2.2, 1.2.8, 1.2.9, 1.1 | Patch → NO_SAFE_VERSION |
| CVE-2014-0114 | Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1. | 1.2.4, 1.2.7, 1.2.2, 1.0.2, 1.2.8, 1.2.9, 1.1, 1.1-rc1 (Show all) | Patch → NO_SAFE_VERSION |
| CVE-2012-1007 | Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 1.3.10 allow remote attackers to inject arbitrary web script or HTML via (1) the name parameter to struts-examples/upload/upload-submit.do, or the message parameter to (2) struts-cookbook/processSimple.do or (3) struts-cookbook/processDyna.do. | 1.2.4, 1.2.7, 1.2.2, 1.0.2, 1.2.8, 1.2.9, 1.1, 1.1-rc1 (Show all) | Patch → NO_SAFE_VERSION |
| CVE-2008-2025 | Cross-site scripting (XSS) vulnerability in Apache Struts before 1.2.9-162.31.1 on SUSE Linux Enterprise (SLE) 11, before 1.2.9-108.2 on SUSE openSUSE 10.3, before 1.2.9-198.2 on SUSE openSUSE 11.0, and before 1.2.9-162.163.2 on SUSE openSUSE 11.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "insufficient quoting of parameters." | 1.2.4, 1.2.7, 1.2.2, 1.0.2, 1.2.8, 1.2.9, 1.1, 1.1-rc1 (Show all) | Patch → NO_SAFE_VERSION |
| CVE-2006-1548 | Cross-site scripting (XSS) vulnerability in (1) LookupDispatchAction and possibly (2) DispatchAction and (3) ActionDispatcher in Apache Software Foundation (ASF) Struts before 1.2.9 allows remote attackers to inject arbitrary web script or HTML via the parameter name, which is not filtered in the resulting error message. | 1.2.4, 1.2.7, 1.2.2, 1.0.2, 1.2.8, 1.1, 1.1-rc1, 1.1-rc2 (Show all) | Patch → NO_SAFE_VERSION |
| CVE-2006-1547 | ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9 with BeanUtils 1.7 allows remote attackers to cause a denial of service via a multipart/form-data encoded form with a parameter name that references the public getMultipartRequestHandler method, which provides further access to elements in the CommonsMultipartRequestHandler implementation and BeanUtils. | 1.2.7, 1.2.8 | Patch → NO_SAFE_VERSION |
| CVE-2006-1546 | Apache Software Foundation (ASF) Struts before 1.2.9 allows remote attackers to bypass validation via a request with a 'org.apache.struts.taglib.html.Constants.CANCEL' parameter, which causes the action to be canceled but would not be detected from applications that do not use the isCancelled check. | 1.2.4, 1.2.7, 1.2.2, 1.0.2, 1.2.8, 1.1, 1.1-rc1, 1.1-rc2 (Show all) | Patch → NO_SAFE_VERSION |
| CVE-2005-3745 | Cross-site scripting (XSS) vulnerability in Apache Struts 1.2.7, and possibly other versions allows remote attackers to inject arbitrary web script or HTML via the query string, which is not properly quoted or filtered when the request handler generates an error message. | 1.2.4, 1.2.7, 1.2.2, 1.1, 1.1-rc1, 1.1-rc2 | Patch → NO_SAFE_VERSION |
Instantly see if these struts vulnerabilities affect your code.