By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2018-11776

Remote Code Execution
Affects
Apache Struts
>=2.3.0 <2.3.35, >=2.5.0 <2.5.17
in
Struts
No items found.
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview

Apache Struts is a popular open-source web application framework for developing Java EE web applications. It provides robust support for creating modern Java-based enterprise applications. 

A Remote Code Execution (RCE) vulnerability (CVE-2018-11776) has been identified in Apache Struts, which allows attackers to execute arbitrary code on the target system by sending specially crafted requests. This can compromise system integrity and lead to further exploitation.

Per Crowdstrike: Remote code execution (RCE) refers to a class of cyberattacks in which attackers remotely execute commands to place malware or other malicious code on your computer or network. An RCE vulnerability can compromise a user’s sensitive data without the hackers needing to gain physical access to your network. 

This issue affects multiple versions. Struts 2.0.4 - Struts 2.3.34, Struts 2.5.0 - Struts 2.5.16

Details

Module Info

  • Product: Apache Struts
  • Affected packages: struts-core
  • Affected versions: >=2.3.0 <2.3.35, >=2.5.0  <2.5.17
  • GitHub repository: https://github.com/apache/struts
  • Package manager: Maven
  • Fixed in: >=2.3.34 and >=2.5.16

Vulnerability Info

The vulnerability arises due to improper handling of namespaces and results when the alwaysSelectFullNamespace option is enabled. It can be exploited by an attacker to execute arbitrary code on the server. Those using affected versions of Apache Struts should upgrade to patched versions and follow recommended security practices to mitigate this risk.

Credit

Mitigation

Users of the affected components should apply one of the following mitigations:

  • Upgrade to patched version 2.3.35 or 2.5.17
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.
Pink arrow
Pink arrow
CVE-2014-0094
CVE-2016-3081
CVE-2017-5638
CVE-2018-11776
CVE-2012-1007
CVE-2015-0899
CVE-2024-53677
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2018-11776
PROJECT Affected
Apache Struts
Versions Affected
>=2.3.0 <2.3.35, >=2.5.0 <2.5.17
Published date
August 18, 2022
≈ Fix date
August 18, 2022
Fixed in
NES for Apache Struts
Severity
Critical
Category
Remote Code Execution
Sign up for the latest vulnerability alerts fixed in
NES for Apache Struts
Rss feed icon
Subscribe via RSS
or
Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.