Miggo Logo
Miggo Vulnerability Database
CVE-2016-3082

CVE-2016-3082:
Remote Code Execution in Apache Struts

9.8

CVSS Score
3.0

Basic Information

CVE ID
CVE-2016-3082
GHSA ID
GHSA-pvm9-288c-v5wq
EPSS Score
0.97031%
CWE
CWE-20
Published
5/17/2022
Updated
12/28/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.struts:struts2-coremaven< 2.3.20.32.3.20.3
org.apache.struts:struts2-coremaven>= 2.3.24, < 2.3.24.32.3.24.3
org.apache.struts:struts2-coremaven>= 2.3.28, < 2.3.28.12.3.28.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from XSLTResult's handling of stylesheet locations via request parameters. The advisory explicitly states XSLTResult's parameter injection flaw (CWE-20) allows remote code execution. The execute method would be responsible for processing the transformation using the user-supplied parameter. While exact line numbers aren't available, the class/method structure and vulnerability pattern match Struts' XSLTResult implementation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

XSLTR*sult *llows *or t** lo**tion o* * styl*s***t **in* p*ss** *s * r*qu*st p*r*m*t*r. In som* *ir*umst*n**s t*is **n ** us** to inj**t r*mot*ly *x**ut**l* *o**.

Reasoning

T** vuln*r**ility st*ms *rom XSLTR*sult's **n*lin* o* styl*s***t lo**tions vi* r*qu*st p*r*m*t*rs. T** **visory *xpli*itly st*t*s XSLTR*sult's p*r*m*t*r inj**tion *l*w (*W*-**) *llows r*mot* *o** *x**ution. T** *x**ut* m*t*o* woul* ** r*sponsi*l* *or