Vulnerability Description
Apache Struts 2.x before 2.3.29 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0785.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Struts | >= 2.0.0, < 2.3.29 |
| Netapp | Oncommand Balance | - |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/91277Third Party AdvisoryVDB Entry
- https://security.netapp.com/advisory/ntap-20180629-0004/Third Party Advisory
- https://struts.apache.org/docs/s2-036.htmlMitigationVendor Advisory
- http://www.securityfocus.com/bid/91277Third Party AdvisoryVDB Entry
- https://security.netapp.com/advisory/ntap-20180629-0004/Third Party Advisory
- https://struts.apache.org/docs/s2-036.htmlMitigationVendor Advisory
FAQ
What is CVE-2016-4461?
CVE-2016-4461 is a vulnerability with a CVSS score of 8.8 (HIGH). Apache Struts 2.x before 2.3.29 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation. NOTE: this vulnerability exists because o...
How severe is CVE-2016-4461?
CVE-2016-4461 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-4461?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Struts, Netapp Oncommand Balance.