Apache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation.

The version of Apache Struts running on the remote Windows host is 2.x prior to 2.3.29. It is, therefore, affected by the following vulnerabilities :

  - A remote code execution vulnerability exists due to     erroneously performing double OGNL evaluation of     attribute values assigned to certain tags. An     unauthenticated, remote attacker can exploit this, via a     specially crafted request, to execute arbitrary code.
    (CVE-2016-0785)

  - A cross-site request forgery (XSRF) vulnerability exists     due to improper validation of session tokens. An     unauthenticated, remote attacker can exploit this, via a     malicious OGNL expression, to bypass token validation     and perform an XSRF attack. (CVE-2016-4430)

  - Multiple input validation issues exists that allow     internal security mechanisms to be bypassed, allowing     the manipulation of a return string which can be used to     redirect users to a malicious website. This affects both     the default action method the 'getter' action method.
    (CVE-2016-4431, CVE-2016-4433)

  - An unspecified flaw exists that is triggered during the     cleanup of action names. An unauthenticated, remote     attacker can exploit this, via a specially crafted     payload, to perform unspecified actions. (CVE-2016-4436)

  - A remote code execution vulnerability exists in the REST     plugin due to improper handling of OGNL expressions. An     unauthenticated, remote attacker can exploit this, via     a specially crafted OGNL expression, to execute     arbitrary code. (CVE-2016-4438)

  - A remote code execution vulnerability exists in user tag     attributes due to improper handling of OGNL expressions.     An unauthenticated, remote attacker can exploit this,     via a specially crafted double OGNL evaluation, to     execute arbitrary code. (CVE-2016-4461)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Apache Struts running on the remote host is 2.x prior to 2.3.28. It is, therefore, affected by the following vulnerabilities :
  - A cross-site scripting vulnerability exists due to     improper validation of user-supplied input when using     a single byte page encoding. A remote attacker can     exploit this, via non-spec URL-encoded parameter value     including multi-byte characters. (CVE-2016-4003)

  - A remote code execution vulnerability exists due to     double OGNL evaluation of attribute values assigned to     certain tags. An unauthenticated, remote attacker can     exploit this, via a specially crafted request, to     execute arbitrary code. (CVE-2016-0785)

  - A cross-site scripting vulnerability exists due to     improper validation of user-supplied input when using     the I18NInterceptor. A remote attacker can exploit this,     via a specially crafted request, to execute arbitrary     script code in a user's browser session. (CVE-2016-2162)

  - A denial of service vulnerability exists in the     Object-Graph Navigation Language (OGNL) component due to     a flaw in the implementation of the cache for stored     method references. A context-dependent attacker can     exploit this to block access to arbitrary websites.
    (CVE-2016-3093)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote web application appears to use Apache Struts 2, a web framework that utilizes OGNL (Object-Graph Navigation Language) as an expression language. A remote code execution vulnerability exists due to double OGNL evaluation of attribute values assigned to certain tags. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary code.

Note that this plugin only reports the first vulnerable instance of a Struts 2 application.

ID	Name	Product	Family	Severity
91812	Apache Struts 2.x < 2.3.29 Multiple Vulnerabilities (S2-035 - S2-040)	Nessus	Misc.	high
90153	Apache Struts 2.x < 2.3.28 Multiple Vulnerabilities (S2-028) (S2-029) (S2-030) (S2-034)	Nessus	Misc.	high
90152	Apache Struts 2 Tag Attribute Double OGNL Evaluation RCE	Nessus	CGI abuses	high

Detections

Analytics

CVE-2016-0785

high

Tenable Plugins

high

high

high