Apache Struts 2.x before 2.3.28 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation.

apache_struts S2-029: S2-029

The version of Apache Struts running on the remote Windows host is 2.x prior to 2.3.29. It is, therefore, affected by the following vulnerabilities :

  - A remote code execution vulnerability exists due to     erroneously performing double OGNL evaluation of     attribute values assigned to certain tags. An     unauthenticated, remote attacker can exploit this, via a     specially crafted request, to execute arbitrary code.
    (CVE-2016-0785)

  - A cross-site request forgery (XSRF) vulnerability exists     due to improper validation of session tokens. An     unauthenticated, remote attacker can exploit this, via a     malicious OGNL expression, to bypass token validation     and perform an XSRF attack. (CVE-2016-4430)

  - Multiple input validation issues exists that allow     internal security mechanisms to be bypassed, allowing     the manipulation of a return string which can be used to     redirect users to a malicious website. This affects both     the default action method the 'getter' action method.
    (CVE-2016-4431, CVE-2016-4433)

  - An unspecified flaw exists that is triggered during the     cleanup of action names. An unauthenticated, remote     attacker can exploit this, via a specially crafted     payload, to perform unspecified actions. (CVE-2016-4436)

  - A remote code execution vulnerability exists in the REST     plugin due to improper handling of OGNL expressions. An     unauthenticated, remote attacker can exploit this, via     a specially crafted OGNL expression, to execute     arbitrary code. (CVE-2016-4438)

  - A remote code execution vulnerability exists in user tag     attributes due to improper handling of OGNL expressions.     An unauthenticated, remote attacker can exploit this,     via a specially crafted double OGNL evaluation, to     execute arbitrary code. (CVE-2016-4461)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Apache Struts running on the remote host is 2.x prior to 2.3.28. It is, therefore, affected by the following vulnerabilities :
  - A cross-site scripting vulnerability exists due to     improper validation of user-supplied input when using     a single byte page encoding. A remote attacker can     exploit this, via non-spec URL-encoded parameter value     including multi-byte characters. (CVE-2016-4003)

  - A remote code execution vulnerability exists due to     double OGNL evaluation of attribute values assigned to     certain tags. An unauthenticated, remote attacker can     exploit this, via a specially crafted request, to     execute arbitrary code. (CVE-2016-0785)

  - A cross-site scripting vulnerability exists due to     improper validation of user-supplied input when using     the I18NInterceptor. A remote attacker can exploit this,     via a specially crafted request, to execute arbitrary     script code in a user's browser session. (CVE-2016-2162)

  - A denial of service vulnerability exists in the     Object-Graph Navigation Language (OGNL) component due to     a flaw in the implementation of the cache for stored     method references. A context-dependent attacker can     exploit this to block access to arbitrary websites.
    (CVE-2016-3093)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote web application appears to use Apache Struts 2, a web framework that utilizes OGNL (Object-Graph Navigation Language) as an expression language. A remote code execution vulnerability exists due to double OGNL evaluation of attribute values assigned to certain tags. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary code.

Note that this plugin only reports the first vulnerable instance of a Struts 2 application.

ID	Name	Product	Family	Severity
91812	Apache Struts 2.x < 2.3.29 Multiple Vulnerabilities (S2-035 - S2-040)	Nessus	Misc.	high
90153	Apache Struts 2.x < 2.3.28 Multiple Vulnerabilities (S2-028) (S2-029) (S2-030) (S2-034)	Nessus	Misc.	high
90152	Apache Struts 2 Tag Attribute Double OGNL Evaluation RCE	Nessus	CGI abuses	high

Detections

Analytics

CVE-2016-0785

high

Tenable Plugins

Coming Soon

high

high

high