Miggo Logo
Miggo Vulnerability Database
CVE-2016-3090

CVE-2016-3090: Apache Struts RCE Vulnerability

8.8

CVSS Score
3.0

Basic Information

CVE ID
CVE-2016-3090
GHSA ID
GHSA-ggmp-fxfg-277r
EPSS Score
0.85649%
CWE
CWE-20
Published
5/14/2022
Updated
11/2/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.struts:struts2-parentmaven>= 2.0.0, < 2.3.202.3.20

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description explicitly names TextParseUtil.translateVariables as the vulnerable method. Multiple sources (CVE, GHSA, Struts S2-027 advisory) confirm it improperly handles OGNL expression evaluation. The method's lack of input validation for OGNL expressions before Struts 2.3.20 directly enables the RCE vector. While the framework itself doesn't pass user input to this method by default, developer misuse (passing unsanitized input) triggers the vulnerability, making the function itself the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** `T*xtP*rs*Util.tr*nsl*t*V*ri**l*s` m*t*o* in *p**** Struts *.x ***or* *.*.** *llows r*mot* *tt**k*rs to *x**ut* *r*itr*ry *o** vi* * *r**t** O*NL *xpr*ssion wit* *NTLR toolin*.

Reasoning

T** vuln*r**ility **s*ription *xpli*itly n*m*s `T*xtP*rs*Util.tr*nsl*t*V*ri**l*s` *s t** vuln*r**l* m*t*o*. Multipl* sour**s (*V*, **S*, Struts S*-*** **visory) *on*irm it improp*rly **n*l*s O*NL *xpr*ssion *v*lu*tion. T** m*t*o*'s l**k o* input v*li