CVE-2016-6795

In the Convention plugin in Apache Struts 2.3.x before 2.3.31, and 2.5.x before 2.5.5, it is possible to prepare a special URL which will be used for path traversal and execution of arbitrary code on server side.

CVSS v3 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3 : CRITICAL

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://www.securityfocus.com/bid/93773	Third Party Advisory VDB Entry
https://security.netapp.com/advisory/ntap-20180629-0003/
https://struts.apache.org/docs/s2-042.html	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:struts:2.3.20:::::::*
	cpe:2.3:a:apache:struts:2.3.20.1:::::::*
	cpe:2.3:a:apache:struts:2.3.20.2:::::::*
	cpe:2.3:a:apache:struts:2.3.20.3:::::::*
	cpe:2.3:a:apache:struts:2.3.21:::::::*
	cpe:2.3:a:apache:struts:2.3.22:::::::*
	cpe:2.3:a:apache:struts:2.3.23:::::::*
	cpe:2.3:a:apache:struts:2.3.24:::::::*
	cpe:2.3:a:apache:struts:2.3.24.1:::::::*
	cpe:2.3:a:apache:struts:2.3.24.2:::::::*
	cpe:2.3:a:apache:struts:2.3.24.3:::::::*
	cpe:2.3:a:apache:struts:2.3.25:::::::*
	cpe:2.3:a:apache:struts:2.3.26:::::::*
	cpe:2.3:a:apache:struts:2.3.27:::::::*
	cpe:2.3:a:apache:struts:2.3.28:::::::*
	cpe:2.3:a:apache:struts:2.3.28.1:::::::*
	cpe:2.3:a:apache:struts:2.3.29:::::::*
	cpe:2.3:a:apache:struts:2.3.30:::::::*

History

No history.

Information

Published : 2017-09-20 17:29

Updated : 2024-02-28 16:04

NVD link : CVE-2016-6795

Mitre link : CVE-2016-6795

CVE.ORG link : CVE-2016-6795

JSON object : View

Products Affected

apache

struts

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2016-6795", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2017-09-20T17:29:00.277", "references": [{"url": "http://www.securityfocus.com/bid/93773", "tags": ["Third Party Advisory", "VDB Entry"], "source": "security@apache.org"}, {"url": "https://security.netapp.com/advisory/ntap-20180629-0003/", "source": "security@apache.org"}, {"url": "https://struts.apache.org/docs/s2-042.html", "tags": ["Vendor Advisory"], "source": "security@apache.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "In the Convention plugin in Apache Struts 2.3.x before 2.3.31, and 2.5.x before 2.5.5, it is possible to prepare a special URL which will be used for path traversal and execution of arbitrary code on server side."}, {"lang": "es", "value": "En el plugin Convention en Apache Struts versiones 2.3.x anteriores a 2.3.31, y versiones 2.5.x anteriores a 2.5.5, es posible preparar una URL especial que ser\u00e1 usada para el salto de ruta (path) y una ejecuci\u00f3n de c\u00f3digo arbitrario en el lado del servidor."}], "lastModified": "2019-08-12T21:15:13.530", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "22FF6282-0BCA-46EB-9648-6EE3EDA189F2"}, {"criteria": "cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6D1467BC-9BC8-402D-A420-615CF9698648"}, {"criteria": "cpe:2.3:a:apache:struts:2.3.20.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "12CE716B-867F-49CA-BDAF-194714D990C1"}, {"criteria": "cpe:2.3:a:apache:struts:2.3.20.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "880AEA69-3705-447D-80FF-60753248158F"}, {"criteria": "cpe:2.3:a:apache:struts:2.3.21:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CB6057D5-0787-4026-A202-ACD07C862F8D"}, {"criteria": "cpe:2.3:a:apache:struts:2.3.22:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1B3AE8EA-4D25-4151-A210-ECDE802F8A2F"}, {"criteria": "cpe:2.3:a:apache:struts:2.3.23:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "79C615AE-4709-47EB-85F8-BD944096428E"}, {"criteria": "cpe:2.3:a:apache:struts:2.3.24:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "524C5119-416D-413B-BF1D-29291E23FDB2"}, {"criteria": "cpe:2.3:a:apache:struts:2.3.24.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "45446B16-F531-4C6D-B889-A8A6622C70A2"}, {"criteria": "cpe:2.3:a:apache:struts:2.3.24.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "39047809-4E6D-4670-B9BA-D8FD910E38EB"}, {"criteria": "cpe:2.3:a:apache:struts:2.3.24.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "71823E13-1896-4EE4-A49C-CFFB717FFD80"}, {"criteria": "cpe:2.3:a:apache:struts:2.3.25:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "291F3624-8AB5-46F2-9BB5-F592DF1C9F88"}, {"criteria": "cpe:2.3:a:apache:struts:2.3.26:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DD053675-DE5E-40A8-B404-4F36AAC82502"}, {"criteria": "cpe:2.3:a:apache:struts:2.3.27:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B0392E61-6D77-43C3-8009-96BC0F90B8D1"}, {"criteria": "cpe:2.3:a:apache:struts:2.3.28:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C778ADED-75B5-4AD3-8CDC-EFDFFAD5A742"}, {"criteria": "cpe:2.3:a:apache:struts:2.3.28.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "067F6249-CC5A-4402-843C-06D5F9F77267"}, {"criteria": "cpe:2.3:a:apache:struts:2.3.29:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0AFA78DD-B60C-46AD-BCCB-4E15BB16BEDC"}, {"criteria": "cpe:2.3:a:apache:struts:2.3.30:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1DA1EABE-5292-44C2-8327-54201A42F204"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}