Miggo Logo
Miggo Vulnerability Database
CVE-2016-0785

CVE-2016-0785:
Apache Struts RCE Vulnerability

8.8

CVSS Score
3.0

Basic Information

CVE ID
CVE-2016-0785
GHSA ID
GHSA-876p-4wgc-75rx
EPSS Score
0.96714%
CWE
CWE-20
Published
5/14/2022
Updated
12/28/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.struts:struts2-coremaven>= 2.0.0, < 2.3.20.32.3.20.3
org.apache.struts:struts2-coremaven>= 2.3.24, < 2.3.24.32.3.24.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key issues:

  1. Component.findValue's unconditional OGNL evaluation when altSyntax was enabled, without verifying if the input actually contained an expression.
  2. ComponentUtils.isExpression's strict '%{...}' boundary check, which failed to detect expressions mixed with other text (e.g., 'foo%{bar}').

These functions together allowed attackers to inject OGNL expressions via tag attributes that would be evaluated twice - first during attribute processing, then again during rendering. The patch added ComponentUtils.containsExpression to detect partial expressions and modified findValue to use this check, preventing the double evaluation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*p**** Struts *.x ***or* *.*.**.*, *.*.**.*, *n* *.*.** *llows r*mot* *tt**k*rs to *x**ut* *r*itr*ry *o** vi* * `%{}` s*qu*n** in * t** *ttri*ut*, *k* *or*** *ou*l* O*NL *v*lu*tion.

Reasoning

T** vuln*r**ility st*ms *rom two k*y issu*s: *. *ompon*nt.*in*V*lu*'s un*on*ition*l O*NL *v*lu*tion w**n *ltSynt*x w*s *n**l**, wit*out v*ri*yin* i* t** input **tu*lly *ont*in** *n *xpr*ssion. *. *ompon*ntUtils.is*xpr*ssion's stri*t '%{...}' *oun**ry