Vulnerability Details CVE-2016-3087
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an ! (exclamation mark) operator to the REST Plugin.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.865
EPSS Ranking 99.4%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
- http://struts.apache.org/docs/s2-033.html
- http://www-01.ibm.com/support/docview.wss?uid=swg21987854
- http://www.securityfocus.com/bid/90960
- http://www.securitytracker.com/id/1036017
- https://www.exploit-db.com/exploits/39919/
- http://struts.apache.org/docs/s2-033.html
- http://www-01.ibm.com/support/docview.wss?uid=swg21987854
- http://www.securityfocus.com/bid/90960
- http://www.securitytracker.com/id/1036017
- https://www.exploit-db.com/exploits/39919/
Products affected by CVE-2016-3087
-
cpe:2.3:a:apache:struts:2.3.20
-
cpe:2.3:a:apache:struts:2.3.20.1
-
cpe:2.3:a:apache:struts:2.3.24
-
cpe:2.3:a:apache:struts:2.3.24.1
-
cpe:2.3:a:apache:struts:2.3.28