CVE-2016-4438

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2016-4438

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-4438.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2016-4438

Aliases

GHSA-4prj-vw9j-v6pr

Published

2016-07-04T22:59:09.100Z

Modified

2026-04-10T03:52:21.395292Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

The REST plugin in Apache Struts 2 2.3.19 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression.

References

Affected packages

Git / github.com/apache/struts

Affected ranges

Type

GIT

Repo

https://github.com/apache/struts

Events

Introduced

Last affected

0320310406f6b11cfd235d7a9b866cf1de483a1e

Introduced

Last affected

a9974eec5689a7113a6fb1e2096252f0935064dd

Introduced

Last affected

bbbf43ec59e7bef3b07e9065dc9784c18a95d58b

Introduced

Last affected

925741ad1e8e48c7a6d687fe02d3fdb6386eb64c

Introduced

Last affected

7a9863169f7d981be0d2d57437974ae2cc0c8bd3

Introduced

Last affected

36b6fff05cd4a17f75b091c0edd52e0c1e65ec06

Introduced

Last affected

0ac8932aa3a1b28a8f950863c17165cdc63b1474

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.3.20"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.3.20.1"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.3.20.3"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.3.24"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.3.24.1"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.3.24.3"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.3.28"
        }
    ]
}

Affected versions

Other

STRUTS_2_3_20

STRUTS_2_3_20_1

STRUTS_2_3_20_2

STRUTS_2_3_20_3

STRUTS_2_3_24

STRUTS_2_3_24_1

STRUTS_2_3_24_2

STRUTS_2_3_24_3

STRUTS_2_3_25

STRUTS_2_3_26

STRUTS_2_3_27

STRUTS_2_3_28

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-4438.json"