Vulnerable Library - struts2-core-2.3.31.jar
Apache Struts 2
Path to dependency file: /ksa-web-root/ksa-system-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Vulnerabilities
CVE |
Severity |
CVSS |
Dependency |
Type |
Fixed in (struts2-core version) |
Remediation Possible** |
Reachability |
CVE-2017-5638 |
Critical |
10.0 |
struts2-core-2.3.31.jar |
Direct |
2.3.32 |
✅ |
|
CVE-2021-31805 |
Critical |
9.8 |
struts2-core-2.3.31.jar |
Direct |
org.apache.struts:struts2-core:2.5.30 |
✅ |
|
CVE-2019-0230 |
Critical |
9.8 |
struts2-core-2.3.31.jar |
Direct |
2.5.22 |
✅ |
|
CVE-2016-1000031 |
Critical |
9.8 |
commons-fileupload-1.2.2.jar |
Transitive |
2.3.37 |
✅ |
|
CVE-2017-12611 |
Critical |
9.8 |
struts2-core-2.3.31.jar |
Direct |
2.3.34 |
✅ |
|
CVE-2020-17530 |
Critical |
9.8 |
struts2-core-2.3.31.jar |
Direct |
2.5.26 |
✅ |
|
CVE-2018-11776 |
High |
8.1 |
struts2-core-2.3.31.jar |
Direct |
2.3.35 |
✅ |
|
CVE-2016-3092 |
High |
7.5 |
commons-fileupload-1.2.2.jar |
Transitive |
2.3.32 |
✅ |
|
CVE-2023-34396 |
High |
7.5 |
struts2-core-2.3.31.jar |
Direct |
2.5.31 |
✅ |
|
CVE-2017-9804 |
High |
7.5 |
detected in multiple dependencies |
Transitive |
2.3.34 |
✅ |
|
CVE-2023-24998 |
High |
7.5 |
commons-fileupload-1.2.2.jar |
Transitive |
6.1.2 |
✅ |
|
CVE-2019-0233 |
High |
7.5 |
struts2-core-2.3.31.jar |
Direct |
2.5.22 |
✅ |
|
CVE-2017-9787 |
High |
7.5 |
detected in multiple dependencies |
Transitive |
2.3.33 |
✅ |
|
WS-2014-0034 |
High |
7.5 |
commons-fileupload-1.2.2.jar |
Transitive |
2.3.37 |
✅ |
|
CVE-2013-2186 |
High |
7.3 |
commons-fileupload-1.2.2.jar |
Transitive |
N/A* |
❌ |
|
CVE-2014-0050 |
High |
7.3 |
commons-fileupload-1.2.2.jar |
Transitive |
2.3.32 |
✅ |
|
CVE-2023-34149 |
Medium |
6.5 |
struts2-core-2.3.31.jar |
Direct |
2.5.31 |
✅ |
|
CVE-2021-29425 |
Medium |
4.8 |
commons-io-2.1.jar |
Transitive |
6.1.2 |
✅ |
|
CVE-2013-0248 |
Medium |
4.0 |
commons-fileupload-1.2.2.jar |
Transitive |
2.3.32 |
✅ |
|
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2017-5638
Vulnerable Library - struts2-core-2.3.31.jar
Apache Struts 2
Path to dependency file: /ksa-web-root/ksa-system-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar
Dependency Hierarchy:
- ❌ struts2-core-2.3.31.jar (Vulnerable Library)
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Vulnerability Details
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.
Publish Date: 2017-03-11
URL: CVE-2017-5638
CVSS 3 Score Details (10.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2017-03-11
Fix Resolution: 2.3.32
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2021-31805
Vulnerable Library - struts2-core-2.3.31.jar
Apache Struts 2
Path to dependency file: /ksa-web-root/ksa-system-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar
Dependency Hierarchy:
- ❌ struts2-core-2.3.31.jar (Vulnerable Library)
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Vulnerability Details
The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.
Publish Date: 2022-04-12
URL: CVE-2021-31805
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cwiki.apache.org/confluence/display/WW/S2-062
Release Date: 2022-04-12
Fix Resolution: org.apache.struts:struts2-core:2.5.30
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2019-0230
Vulnerable Library - struts2-core-2.3.31.jar
Apache Struts 2
Path to dependency file: /ksa-web-root/ksa-system-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar
Dependency Hierarchy:
- ❌ struts2-core-2.3.31.jar (Vulnerable Library)
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Vulnerability Details
Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
Publish Date: 2020-09-14
URL: CVE-2019-0230
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cwiki.apache.org/confluence/display/ww/s2-059
Release Date: 2020-09-14
Fix Resolution: 2.5.22
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2016-1000031
Vulnerable Library - commons-fileupload-1.2.2.jar
The FileUpload component provides a simple yet flexible means of adding support for multipart
file upload functionality to servlets and web applications.
Path to dependency file: /ksa-web-root/ksa-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar
Dependency Hierarchy:
- struts2-core-2.3.31.jar (Root Library)
- ❌ commons-fileupload-1.2.2.jar (Vulnerable Library)
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Vulnerability Details
Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution
Publish Date: 2016-10-25
URL: CVE-2016-1000031
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031
Release Date: 2016-10-25
Fix Resolution (commons-fileupload:commons-fileupload): 1.3.3
Direct dependency fix Resolution (org.apache.struts:struts2-core): 2.3.37
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2017-12611
Vulnerable Library - struts2-core-2.3.31.jar
Apache Struts 2
Path to dependency file: /ksa-web-root/ksa-system-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar
Dependency Hierarchy:
- ❌ struts2-core-2.3.31.jar (Vulnerable Library)
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Vulnerability Details
In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack.
Publish Date: 2017-09-20
URL: CVE-2017-12611
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cwiki.apache.org/confluence/display/WW/S2-053
Release Date: 2017-09-07
Fix Resolution: 2.3.34
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-17530
Vulnerable Library - struts2-core-2.3.31.jar
Apache Struts 2
Path to dependency file: /ksa-web-root/ksa-system-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar
Dependency Hierarchy:
- ❌ struts2-core-2.3.31.jar (Vulnerable Library)
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Vulnerability Details
Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.
Publish Date: 2020-12-11
URL: CVE-2020-17530
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cwiki.apache.org/confluence/display/WW/S2-061
Release Date: 2020-12-11
Fix Resolution: 2.5.26
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2018-11776
Vulnerable Library - struts2-core-2.3.31.jar
Apache Struts 2
Path to dependency file: /ksa-web-root/ksa-system-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar
Dependency Hierarchy:
- ❌ struts2-core-2.3.31.jar (Vulnerable Library)
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Vulnerability Details
Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace.
Publish Date: 2018-08-22
URL: CVE-2018-11776
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-11776
Release Date: 2018-08-22
Fix Resolution: 2.3.35
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2016-3092
Vulnerable Library - commons-fileupload-1.2.2.jar
The FileUpload component provides a simple yet flexible means of adding support for multipart
file upload functionality to servlets and web applications.
Path to dependency file: /ksa-web-root/ksa-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar
Dependency Hierarchy:
- struts2-core-2.3.31.jar (Root Library)
- ❌ commons-fileupload-1.2.2.jar (Vulnerable Library)
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Vulnerability Details
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
Publish Date: 2016-07-04
URL: CVE-2016-3092
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092
Release Date: 2016-07-04
Fix Resolution (commons-fileupload:commons-fileupload): 1.3.2
Direct dependency fix Resolution (org.apache.struts:struts2-core): 2.3.32
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2023-34396
Vulnerable Library - struts2-core-2.3.31.jar
Apache Struts 2
Path to dependency file: /ksa-web-root/ksa-system-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar
Dependency Hierarchy:
- ❌ struts2-core-2.3.31.jar (Vulnerable Library)
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Vulnerability Details
Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2.
Upgrade to Struts 2.5.31 or 6.1.2.1 or greater
Publish Date: 2023-06-14
URL: CVE-2023-34396
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-4g42-gqrg-4633
Release Date: 2023-06-14
Fix Resolution: 2.5.31
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2017-9804
Vulnerable Libraries - xwork-core-2.3.31.jar, struts2-core-2.3.31.jar
xwork-core-2.3.31.jar
Apache Struts 2
Library home page: http://struts.apache.org/
Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.31/xwork-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.31/xwork-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.31/xwork-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.31/xwork-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.31/xwork-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.31/xwork-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.31/xwork-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.31/xwork-core-2.3.31.jar
Dependency Hierarchy:
- struts2-core-2.3.31.jar (Root Library)
- ❌ xwork-core-2.3.31.jar (Vulnerable Library)
struts2-core-2.3.31.jar
Apache Struts 2
Path to dependency file: /ksa-web-root/ksa-system-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar
Dependency Hierarchy:
- ❌ struts2-core-2.3.31.jar (Vulnerable Library)
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Vulnerability Details
In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. NOTE: this vulnerability exists because of an incomplete fix for S2-047 / CVE-2017-7672.
Publish Date: 2017-09-20
URL: CVE-2017-9804
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2017-09-05
Fix Resolution (org.apache.struts.xwork:xwork-core): 2.3.34
Direct dependency fix Resolution (org.apache.struts:struts2-core): 2.3.34
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2023-24998
Vulnerable Library - commons-fileupload-1.2.2.jar
The FileUpload component provides a simple yet flexible means of adding support for multipart
file upload functionality to servlets and web applications.
Path to dependency file: /ksa-web-root/ksa-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar
Dependency Hierarchy:
- struts2-core-2.3.31.jar (Root Library)
- ❌ commons-fileupload-1.2.2.jar (Vulnerable Library)
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Vulnerability Details
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.
Note that, like all of the file upload limits, the
new configuration option (FileUploadBase#setFileCountMax) is not
enabled by default and must be explicitly configured.
Publish Date: 2023-02-20
URL: CVE-2023-24998
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://tomcat.apache.org/security-10.html
Release Date: 2023-02-20
Fix Resolution (commons-fileupload:commons-fileupload): 1.5
Direct dependency fix Resolution (org.apache.struts:struts2-core): 6.1.2
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2019-0233
Vulnerable Library - struts2-core-2.3.31.jar
Apache Struts 2
Path to dependency file: /ksa-web-root/ksa-system-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar
Dependency Hierarchy:
- ❌ struts2-core-2.3.31.jar (Vulnerable Library)
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Vulnerability Details
An access permission override in Apache Struts 2.0.0 to 2.5.20 may cause a Denial of Service when performing a file upload.
Publish Date: 2020-09-14
URL: CVE-2019-0233
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cwiki.apache.org/confluence/display/ww/s2-060
Release Date: 2020-09-14
Fix Resolution: 2.5.22
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2017-9787
Vulnerable Libraries - xwork-core-2.3.31.jar, struts2-core-2.3.31.jar
xwork-core-2.3.31.jar
Apache Struts 2
Library home page: http://struts.apache.org/
Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.31/xwork-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.31/xwork-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.31/xwork-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.31/xwork-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.31/xwork-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.31/xwork-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.31/xwork-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.31/xwork-core-2.3.31.jar
Dependency Hierarchy:
- struts2-core-2.3.31.jar (Root Library)
- ❌ xwork-core-2.3.31.jar (Vulnerable Library)
struts2-core-2.3.31.jar
Apache Struts 2
Path to dependency file: /ksa-web-root/ksa-system-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar
Dependency Hierarchy:
- ❌ struts2-core-2.3.31.jar (Vulnerable Library)
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Vulnerability Details
When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack. Solution is to upgrade to Apache Struts version 2.5.12 or 2.3.33.
Publish Date: 2017-07-13
URL: CVE-2017-9787
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2017-07-13
Fix Resolution (org.apache.struts.xwork:xwork-core): 2.3.33
Direct dependency fix Resolution (org.apache.struts:struts2-core): 2.3.33
⛑️ Automatic Remediation will be attempted for this issue.
WS-2014-0034
Vulnerable Library - commons-fileupload-1.2.2.jar
The FileUpload component provides a simple yet flexible means of adding support for multipart
file upload functionality to servlets and web applications.
Path to dependency file: /ksa-web-root/ksa-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar
Dependency Hierarchy:
- struts2-core-2.3.31.jar (Root Library)
- ❌ commons-fileupload-1.2.2.jar (Vulnerable Library)
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Vulnerability Details
The class FileUploadBase in Apache Commons Fileupload before 1.4 has potential resource leak - InputStream not closed on exception.
Publish Date: 2014-02-17
URL: WS-2014-0034
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2014-02-17
Fix Resolution (commons-fileupload:commons-fileupload): 1.4
Direct dependency fix Resolution (org.apache.struts:struts2-core): 2.3.37
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2013-2186
Vulnerable Library - commons-fileupload-1.2.2.jar
The FileUpload component provides a simple yet flexible means of adding support for multipart
file upload functionality to servlets and web applications.
Path to dependency file: /ksa-web-root/ksa-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar
Dependency Hierarchy:
- struts2-core-2.3.31.jar (Root Library)
- ❌ commons-fileupload-1.2.2.jar (Vulnerable Library)
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Vulnerability Details
The DiskFileItem class in Apache Commons FileUpload, as used in Red Hat JBoss BRMS 5.3.1; JBoss Portal 4.3 CP07, 5.2.2, and 6.0.0; and Red Hat JBoss Web Server 1.0.2 allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance.
Publish Date: 2013-10-28
URL: CVE-2013-2186
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2186
Release Date: 2013-10-28
Fix Resolution: commons-fileupload:commons-fileupload:1.3.1
CVE-2014-0050
Vulnerable Library - commons-fileupload-1.2.2.jar
The FileUpload component provides a simple yet flexible means of adding support for multipart
file upload functionality to servlets and web applications.
Path to dependency file: /ksa-web-root/ksa-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar
Dependency Hierarchy:
- struts2-core-2.3.31.jar (Root Library)
- ❌ commons-fileupload-1.2.2.jar (Vulnerable Library)
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Vulnerability Details
MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.
Publish Date: 2014-04-01
URL: CVE-2014-0050
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050
Release Date: 2014-03-28
Fix Resolution (commons-fileupload:commons-fileupload): 1.3.1
Direct dependency fix Resolution (org.apache.struts:struts2-core): 2.3.32
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2023-34149
Vulnerable Library - struts2-core-2.3.31.jar
Apache Struts 2
Path to dependency file: /ksa-web-root/ksa-system-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar
Dependency Hierarchy:
- ❌ struts2-core-2.3.31.jar (Vulnerable Library)
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Vulnerability Details
Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2.
Upgrade to Struts 2.5.31 or 6.1.2.1 or greater.
Publish Date: 2023-06-14
URL: CVE-2023-34149
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-8f6x-v685-g2xc
Release Date: 2023-06-14
Fix Resolution: 2.5.31
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2021-29425
Vulnerable Library - commons-io-2.1.jar
The Commons IO library contains utility classes, stream implementations, file filters, file comparators and endian classes.
Library home page: http://commons.apache.org/io/
Path to dependency file: /ksa-web-root/ksa-logistics-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-io/commons-io/2.1/commons-io-2.1.jar,/home/wss-scanner/.m2/repository/commons-io/commons-io/2.1/commons-io-2.1.jar,/home/wss-scanner/.m2/repository/commons-io/commons-io/2.1/commons-io-2.1.jar,/home/wss-scanner/.m2/repository/commons-io/commons-io/2.1/commons-io-2.1.jar,/home/wss-scanner/.m2/repository/commons-io/commons-io/2.1/commons-io-2.1.jar,/home/wss-scanner/.m2/repository/commons-io/commons-io/2.1/commons-io-2.1.jar,/home/wss-scanner/.m2/repository/commons-io/commons-io/2.1/commons-io-2.1.jar,/home/wss-scanner/.m2/repository/commons-io/commons-io/2.1/commons-io-2.1.jar
Dependency Hierarchy:
- struts2-core-2.3.31.jar (Root Library)
- ❌ commons-io-2.1.jar (Vulnerable Library)
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Vulnerability Details
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
Publish Date: 2021-04-13
URL: CVE-2021-29425
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425
Release Date: 2021-04-13
Fix Resolution (commons-io:commons-io): 2.7
Direct dependency fix Resolution (org.apache.struts:struts2-core): 6.1.2
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2013-0248
Vulnerable Library - commons-fileupload-1.2.2.jar
The FileUpload component provides a simple yet flexible means of adding support for multipart
file upload functionality to servlets and web applications.
Path to dependency file: /ksa-web-root/ksa-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar
Dependency Hierarchy:
- struts2-core-2.3.31.jar (Root Library)
- ❌ commons-fileupload-1.2.2.jar (Vulnerable Library)
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Vulnerability Details
The default configuration of javax.servlet.context.tempdir in Apache Commons FileUpload 1.0 through 1.2.2 uses the /tmp directory for uploaded files, which allows local users to overwrite arbitrary files via an unspecified symlink attack.
Publish Date: 2013-03-15
URL: CVE-2013-0248
CVSS 3 Score Details (4.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0248
Release Date: 2013-03-15
Fix Resolution (commons-fileupload:commons-fileupload): 1.3
Direct dependency fix Resolution (org.apache.struts:struts2-core): 2.3.32
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.