Subscribe Now

* You will receive the latest news and updates on your favorite celebrities!


New Apache Struts RCE Flaw

New Apache Struts RCE Flaw 

Security researcher Man Yue Mo has disclosed a critical RCE vulnerability in the Apache Struts web appframework that could allow hackers to run malicious code on the vulnerable servers.

Apache Struts is an open source framework for Java web programmingand is widely used by enterprises including Vodafone, Lockheed Martin, Virgin Atlantic, and the IRS.

The vulnerability (CVE-2018-11776) resides in the basis of Apache Struts and is present because of insufficient validation of user-provided inputs in the core of the framework under specific configurations. The newly found exploit can be triggered just by visiting a malicious URL on the affected server, allowing attackers to execute code and gain total control over the server and web application.

All  Apache Struts applications  (Struts 2.3 to Struts 2.3.34, and Struts 2.5 to Struts 2.5.16) and even some unsupported Struts versions—are potentially vulnerable.

According to the Man Yue Mo from Semmle states that “This vulnerability affects commonly-used endpoints of Struts, which are likely to be exposed, opening up an attack vector to malicious hackers,”

Your Apache Struts implementation is vulnerable to the reported RCE flaw if it meets the following conditions:

  • The alwaysSelectFullNamespace flag is set to true in the Struts configuration.
  • Struts configuration file contains an “action” or “url” tag that does not specify the optional namespace attribute or specifies a wildcard namespace.

According to the researcher, even if an application is currently not vulnerable, “an inadvertent change to a Struts configuration file may render the application vulnerable in the future.”

Semmle Security Research Team has discovered a RCE vulnerabilities before in Apache Struts. The team found a similar remote code execution vulnerability (CVE-2017-9805) in Apache Struts, not long time ago.

Related posts


  1. latamdatecyy

    CityWandererMhd101 21 factors presented 5 days within

  2. cialis

    Hi there friends, pleasant paragraph and fastidious urging commented at this place, I am actually enjoying by these.

  3. Warren

    like from begin of apache there are alot of flaws. use nginx !

  4. asiamev

    apache is well known but their security is *****

  5. cialis

    bookmarked!!, I love your blog!

  6. minecraft

    Greetings! Very useful advice within this post! It is
    the little changes that will make the biggest changes.
    Thanks a lot for sharing!

Leave a Reply

Required fields are marked *