CVE-2016-6795

Summary

In the Convention plugin in Apache Struts 2.3.x before 2.3.31, and 2.5.x before 2.5.5, it is possible to prepare a special URL which will be used for path traversal and execution of arbitrary code on server side.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache Struts2.3.x before 2.3.31affected
Apache Software FoundationApache Struts2.5.x before 2.5.5affected

Weaknesses

  • Possible path traversal in the Convention plugin

ADP Enrichment

CVE Program Container

Additional References

References