Connect with sales  +1 877-586-1965

By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2016-3081

Remote Code Execution
Affects
Apache Struts
>=2.3.19 <2.3.20.3, >=2.3.21 <2.3.24.3, >=2.3.25 <2.3.28.1
in
Struts
No items found.
Exclamation circle icon
Patch Available
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs
View NES Solution

Overview and Vulnerability Info

Apache Struts is a popular open-source web application framework for developing Java EE web applications. It provides robust support for creating modern Java-based enterprise applications. 

A Remote Code Execution (RCE) vulnerability (CVE-2016-3081) has been identified in the REST plugin of Apache Struts. This vulnerability allows attackers to execute arbitrary commands on affected servers by injecting malicious input into RESTful API endpoints, exploiting improper input sanitization mechanisms.

Per the Open Web Application Security Project (OWASP): "Code Injection occurs when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization."

This issue affects multiple versions of the Apache Struts framework, specifically versions 2.3.19 through 2.3.28, excluding versions 2.3.20.3, 2.3.24.3, and 2.3.28.1.

Details

Module Info

Vulnerability Info

CVE-2016-3081 is a high-severity vulnerability that arises from the improper handling of user inputs in RESTful endpoints. Specifically, attackers can exploit the method: prefix in user-provided parameters to invoke arbitrary methods on the server, enabling remote code execution. This flaw was particularly dangerous for legacy systems where REST plugins were enabled without sufficient configuration or security hardening.

Credits

  • This vulnerability was disclosed by Nike Zheng from DBAPPSecurity.

Mitigation

Users of the affected components should apply one of the following mitigations:

To mitigate this issue, users should take the following steps:

  • Move to secure versions (Apache Struts 2.3.20.3, 2.3.24.3, or 2.3.28.1).
  • If your application does not require DMI, disable it to reduce attack vectors.
  • Implement strict input validation for RESTful APIs to block malicious inputs.

Leverage a commercial support partner like HeroDevs for post-EOL security support.

Pink arrow
Pink arrow
CVE-2016-3081
CVE-2017-5638
CVE-2018-11776
CVE-2024-53677
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2016-3081
PROJECT Affected
Apache Struts
Versions Affected
>=2.3.19 <2.3.20.3, >=2.3.21 <2.3.24.3, >=2.3.25 <2.3.28.1
Published date
April 20, 2016
≈ Fix date
April 20, 2016
Fixed in
NES for Apache Struts
Severity
High
Category
Remote Code Execution