Apache Struts 2 Remote Code Execution Vulnerability

Apache Struts 2 Remote Code Execution Vulnerability

agosto 24, 2018 | Adeline Zhang


Apache Struts2, CVE-2018-11776, Remote Code Execution, S2-057


This vulnerability can lead to remote code execution. PoC has been made publicly available and may lead to significant, extensive impact.


On August 22, Apache disclosed a remote code execution (RCE) vulnerability that has been asigned the CVE number CVE-2018-11776.  This vulnerability could be triggered when:

  • using results with no namespace and in same time, its upper action(s) have no or wildcard namespace. Or
  • using url tag which doesn’t have value and action set.

Reference link: https://cwiki.apache.org/confluence/display/WW/S2-057

NSFOCUS will release a detailed analysis and protection solution very soon. Stay tuned!

Affected Versions

 Struts 2.3 – 2.3.34
 Struts 2.5 – 2.5.16

Unaffected Versions
 Struts 2.3.35
 Struts 2.5.17


Apache has fixed this vulnerability in its new versions. Users are advised to upgrade to Apache Struts version 2.3.35 or 2.5.17.If you are a developers, you can upgrade and release their applications by configuring Maven or Gradle. Or you can download and use the new Struts frame.


<!– https://mvnrepository.com/artifact/org.apache.struts/struts2-core –>







// https://mvnrepository.com/artifact/org.apache.struts/struts2-core

compile group: ‘org.apache.struts’, name: ‘struts2-core’, version: ‘2.5.17


Struts2.3.35 http://mirrors.hust.edu.cn/apache/struts/2.3.35/struts-2.3.35-all.zip
Struts2.5.17 http://mirrors.hust.edu.cn/apache/struts/2.5.17/struts-2.5.17-all.zip


Check all Struts 2 configuration files such as struts.xml and set namespace for all package nodes not defined yet.

<package name=”user” namespace=”/user” extends=”struts-default”>

<action name=”login”>