NVD

Vulnerability Change Records for CVE-2016-3081

Change History

CVE Modified by Red Hat, Inc. 11/28/2016 3:6:12 PM

Action	Type	Old Value	New Value
Added	Reference		http://www.securityfocus.com/bid/87327 [No Types Assigned]

CVE Modified by Red Hat, Inc. 8/12/2019 5:15:13 PM

Action

Type

Old Value

New Value

Changed

Description

Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.

Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.

Initial CVE Analysis 11/01/2016 2:39:11 PM

Action

Type

Old Value

New Value

Changed

CPE Configuration

Configuration 1
     OR
          *cpe:2.3:a:apache:struts:2.3.28:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.24.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.24:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.4.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.4:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.3:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.1.2:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.1.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.2.3.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.2.3:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.2.1.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.1.8.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.1.8:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.1.6:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.1.5:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.1.4:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.1.3:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.1.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.1.0:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.9:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.8:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.7:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.6:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.5:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.4:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.3:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.2:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.14:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.13:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.12:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.11.2:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.11.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.11:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.10:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.0:*:*:*:*:*:*:*

Configuration 1
     OR
          *cpe:2.3:a:oracle:siebel_e-billing:7.1:*:*:*:*:*:*:*
Configuration 2
     OR
          *cpe:2.3:a:apache:struts:2.3.28:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.24.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.24:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.4.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.4:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.3:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.1.2:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.1.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.2.3.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.2.3:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.2.1.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.1.8.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.1.8:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.1.6:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.1.5:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.1.4:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.1.3:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.1.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.1.0:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.9:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.8:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.7:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.6:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.5:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.4:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.3:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.2:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.14:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.13:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.12:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.11.2:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.11.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.11:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.10:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.0:*:*:*:*:*:*:*

Changed

Reference Type

http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html No Types Assigned

http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html Vendor Advisory

CVE Modified by Source 10/25/2016 10:2:24 PM

Action	Type	Old Value	New Value
Added	Reference		http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html

Modified Analysis 5/04/2016 6:35:04 PM

Action	Type	Old Value	New Value
Added	CPE Configuration		Configuration 1 OR cpe:2.3:a:apache:struts:2.3.28::::::: cpe:2.3:a:apache:struts:2.3.20::::::: cpe:2.3:a:apache:struts:2.3.24.1::::::: cpe:2.3:a:apache:struts:2.3.24::::::: cpe:2.3:a:apache:struts:2.3.8::::::: cpe:2.3:a:apache:struts:2.3.7::::::: cpe:2.3:a:apache:struts:2.3.4.1::::::: cpe:2.3:a:apache:struts:2.3.4::::::: cpe:2.3:a:apache:struts:2.3.3::::::: cpe:2.3:a:apache:struts:2.3.20.1::::::: cpe:2.3:a:apache:struts:2.3.16.3::::::: cpe:2.3:a:apache:struts:2.3.16.2::::::: cpe:2.3:a:apache:struts:2.3.16.1::::::: cpe:2.3:a:apache:struts:2.3.16::::::: cpe:2.3:a:apache:struts:2.3.15.3::::::: cpe:2.3:a:apache:struts:2.3.15.2::::::: cpe:2.3:a:apache:struts:2.3.15.1::::::: cpe:2.3:a:apache:struts:2.3.15::::::: cpe:2.3:a:apache:struts:2.3.14.3::::::: cpe:2.3:a:apache:struts:2.3.14.2::::::: cpe:2.3:a:apache:struts:2.3.14.1::::::: cpe:2.3:a:apache:struts:2.3.14::::::: cpe:2.3:a:apache:struts:2.3.12::::::: cpe:2.3:a:apache:struts:2.3.1.2::::::: cpe:2.3:a:apache:struts:2.3.1.1::::::: cpe:2.3:a:apache:struts:2.3.1::::::: cpe:2.3:a:apache:struts:2.2.3.1::::::: cpe:2.3:a:apache:struts:2.2.3::::::: cpe:2.3:a:apache:struts:2.2.1.1::::::: cpe:2.3:a:apache:struts:2.2.1::::::: cpe:2.3:a:apache:struts:2.1.8.1::::::: cpe:2.3:a:apache:struts:2.1.8::::::: cpe:2.3:a:apache:struts:2.1.6::::::: cpe:2.3:a:apache:struts:2.1.5::::::: cpe:2.3:a:apache:struts:2.1.4::::::: cpe:2.3:a:apache:struts:2.1.3::::::: cpe:2.3:a:apache:struts:2.1.2::::::: cpe:2.3:a:apache:struts:2.1.1::::::: cpe:2.3:a:apache:struts:2.1.0::::::: cpe:2.3:a:apache:struts:2.0.9::::::: cpe:2.3:a:apache:struts:2.0.8::::::: cpe:2.3:a:apache:struts:2.0.7::::::: cpe:2.3:a:apache:struts:2.0.6::::::: cpe:2.3:a:apache:struts:2.0.5::::::: cpe:2.3:a:apache:struts:2.0.4::::::: cpe:2.3:a:apache:struts:2.0.3::::::: cpe:2.3:a:apache:struts:2.0.2::::::: cpe:2.3:a:apache:struts:2.0.14::::::: cpe:2.3:a:apache:struts:2.0.13::::::: cpe:2.3:a:apache:struts:2.0.12::::::: cpe:2.3:a:apache:struts:2.0.11.2::::::: cpe:2.3:a:apache:struts:2.0.11.1::::::: cpe:2.3:a:apache:struts:2.0.11::::::: cpe:2.3:a:apache:struts:2.0.10::::::: cpe:2.3:a:apache:struts:2.0.1::::::: cpe:2.3:a:apache:struts:2.0.0:::::::
Added	CVSS V2		(AV:N/AC:M/Au:N/C:C/I:C/A:C)
Added	CVSS V3		AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Added	CWE		CWE-77
Changed	Reference Type	https://struts.apache.org/docs/s2-032.html No Types Assigned	https://struts.apache.org/docs/s2-032.html Advisory, Patch

Initial CVE Analysis 5/02/2016 1:23:36 PM

Action	Type	Old Value	New Value

CVE Modified by Source 8/08/2016 10:0:09 PM

Action	Type	Old Value	New Value
Added	Reference		http://www.securityfocus.com/bid/91787

CVE Modified by Source 7/21/2016 10:0:14 PM

Action	Type	Old Value	New Value
Added	Reference		http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html

CVE Modified by Red Hat, Inc. 11/30/2016 10:9:41 PM

Action

Type

Old Value

New Value

Added

Reference

http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20160527-01-struts2-en [No Types Assigned]

Added

Reference

http://www.rapid7.com/db/modules/exploit/multi/http/struts_dmi_exec [No Types Assigned]

Added

Reference

https://www.exploit-db.com/exploits/39756/ [No Types Assigned]

CVE Modified by Source 5/31/2016 9:59:04 PM

Action	Type	Old Value	New Value
Added	Reference		http://packetstormsecurity.com/files/136856/Apache-Struts-2.3.28-Dynamic-Method-Invocation-Remote-Code-Execution.html
Added	Reference		http://www.rapid7.com/db/modules/exploit/linux/http/struts_dmi_exec

Modified Analysis 8/18/2016 11:25:04 AM

Action	Type	Old Value	New Value
Changed	Reference Type	http://packetstormsecurity.com/files/136856/Apache-Struts-2.3.28-Dynamic-Method-Invocation-Remote-Code-Execution.html No Types Assigned	http://packetstormsecurity.com/files/136856/Apache-Struts-2.3.28-Dynamic-Method-Invocation-Remote-Code-Execution.html Third Party Advisory, Exploit
Changed	Reference Type	http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html No Types Assigned	http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html Third Party Advisory, Patch
Changed	Reference Type	http://www.rapid7.com/db/modules/exploit/linux/http/struts_dmi_exec No Types Assigned	http://www.rapid7.com/db/modules/exploit/linux/http/struts_dmi_exec Third Party Advisory
Changed	Reference Type	http://www.securityfocus.com/bid/91787 No Types Assigned	http://www.securityfocus.com/bid/91787 Third Party Advisory, VDB Entry
Changed	Reference Type	http://www.securitytracker.com/id/1035665 No Types Assigned	http://www.securitytracker.com/id/1035665 Third Party Advisory, VDB Entry

You are viewing this page in an unauthorized frame window.

Information Technology Laboratory

National Vulnerability Database

National Vulnerability Database

Vulnerability Change Records for CVE-2016-3081

Change History

CVE Modified by Red Hat, Inc. 11/28/2016 3:6:12 PM

CVE Modified by Red Hat, Inc. 8/12/2019 5:15:13 PM

Initial CVE Analysis 11/01/2016 2:39:11 PM

CVE Modified by Source 10/25/2016 10:2:24 PM

Modified Analysis 5/04/2016 6:35:04 PM

Initial CVE Analysis 5/02/2016 1:23:36 PM

CVE Modified by Source 8/08/2016 10:0:09 PM

CVE Modified by Source 7/21/2016 10:0:14 PM

CVE Modified by Red Hat, Inc. 11/30/2016 10:9:41 PM

CVE Modified by Source 5/31/2016 9:59:04 PM

Modified Analysis 8/18/2016 11:25:04 AM