Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2016-3087

CVE-2016-3087:
Apache Struts vulnerable to arbitrary remote code execution due to improper input validation

9.8

CVSS Score

Basic Information

CVE ID
CVE-2016-3087
GHSA ID
GHSA-mmj6-cjj4-hpr5
EPSS Score
-
CWE
CWE-20
Published
5/14/2022
Updated
12/29/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.struts:struts2-coremaven>= 2.3.19, < 2.3.20.32.3.20.3
org.apache.struts:struts2-coremaven>= 2.3.21, < 2.3.24.32.3.24.3
org.apache.struts:struts2-coremaven>= 2.3.25, < 2.3.28.12.3.28.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The GitHub commit diff shows the removal of code in XSLTResult.java that fetched 'xslt.location' from the request parameter. This unvalidated input was used to set the XSLT stylesheet path, enabling path manipulation. The vulnerability documentation explicitly ties this improper input validation (CWE-20) to the REST Plugin's handling of the '!' operator when DMI is enabled. The patch's removal of this request-dependent path assignment confirms this as the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*p**** Struts *.*.** to *.*.**.*, *.*.** to *.*.**.*, *n* *.*.** to *.*.**, w**n *yn*mi* M*t*o* Invo**tion is *n**l**, *llow r*mot* *tt**k*rs to *x**ut* *r*itr*ry *o** vi* v**tors r*l*t** to *n `!` (*x*l*m*tion m*rk) op*r*tor to t** R*ST Plu*in.

Reasoning

T** *it*u* *ommit *i** s*ows t** r*mov*l o* *o** in XSLTR*sult.j*v* t**t **t**** 'xslt.lo**tion' *rom t** r*qu*st p*r*m*t*r. T*is unv*li**t** input w*s us** to s*t t** XSLT styl*s***t p*t*, *n**lin* p*t* m*nipul*tion. T** vuln*r**ility *o*um*nt*tion