Vulnerability Change Records for CVE-2016-3081

Change History

CVE Modified by Red Hat, Inc. 11/28/2016 3:6:12 PM

Action Type Old Value New Value
Added Reference

								
							
							
						
http://www.securityfocus.com/bid/87327 [No Types Assigned]

CVE Modified by Red Hat, Inc. 8/12/2019 5:15:13 PM

Action Type Old Value New Value
Changed Description
Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.

Initial CVE Analysis 11/01/2016 2:39:11 PM

Action Type Old Value New Value
Changed CPE Configuration
Configuration 1
     OR
          *cpe:2.3:a:apache:struts:2.3.28:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.24.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.24:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.4.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.4:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.3:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.1.2:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.1.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.2.3.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.2.3:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.2.1.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.1.8.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.1.8:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.1.6:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.1.5:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.1.4:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.1.3:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.1.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.1.0:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.9:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.8:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.7:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.6:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.5:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.4:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.3:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.2:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.14:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.13:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.12:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.11.2:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.11.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.11:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.10:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.0:*:*:*:*:*:*:*
Configuration 1
     OR
          *cpe:2.3:a:oracle:siebel_e-billing:7.1:*:*:*:*:*:*:*
Configuration 2
     OR
          *cpe:2.3:a:apache:struts:2.3.28:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.24.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.24:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.4.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.4:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.3:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.1.2:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.1.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.2.3.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.2.3:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.2.1.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.1.8.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.1.8:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.1.6:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.1.5:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.1.4:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.1.3:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.1.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.1.0:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.9:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.8:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.7:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.6:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.5:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.4:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.3:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.2:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.14:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.13:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.12:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.11.2:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.11.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.11:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.10:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.0:*:*:*:*:*:*:*
Changed Reference Type
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html No Types Assigned
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html Vendor Advisory

CVE Modified by Source 10/25/2016 10:2:24 PM

Action Type Old Value New Value
Added Reference

								
							
							
						
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html

Modified Analysis 5/04/2016 6:35:04 PM

Action Type Old Value New Value
Added CPE Configuration

								
							
							
						
Configuration 1
     OR
          *cpe:2.3:a:apache:struts:2.3.28:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.24.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.24:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.4.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.4:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.3:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.1.2:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.1.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.2.3.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.2.3:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.2.1.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.1.8.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.1.8:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.1.6:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.1.5:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.1.4:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.1.3:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.1.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.1.0:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.9:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.8:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.7:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.6:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.5:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.4:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.3:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.2:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.14:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.13:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.12:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.11.2:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.11.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.11:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.10:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.1:*:*:*:*:*:*:*
          *cpe:2.3:a:apache:struts:2.0.0:*:*:*:*:*:*:*
Added CVSS V2

								
							
							
						
(AV:N/AC:M/Au:N/C:C/I:C/A:C)
Added CVSS V3

								
							
							
						
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Added CWE

								
							
							
						
CWE-77
Changed Reference Type
https://struts.apache.org/docs/s2-032.html No Types Assigned
https://struts.apache.org/docs/s2-032.html Advisory, Patch

Initial CVE Analysis 5/02/2016 1:23:36 PM

Action Type Old Value New Value

CVE Modified by Source 8/08/2016 10:0:09 PM

Action Type Old Value New Value
Added Reference

								
							
							
						
http://www.securityfocus.com/bid/91787

CVE Modified by Source 7/21/2016 10:0:14 PM

Action Type Old Value New Value
Added Reference

								
							
							
						
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html

CVE Modified by Red Hat, Inc. 11/30/2016 10:9:41 PM

Action Type Old Value New Value
Added Reference

								
							
							
						
http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20160527-01-struts2-en [No Types Assigned]
Added Reference

								
							
							
						
http://www.rapid7.com/db/modules/exploit/multi/http/struts_dmi_exec [No Types Assigned]
Added Reference

								
							
							
						
https://www.exploit-db.com/exploits/39756/ [No Types Assigned]

CVE Modified by Source 5/31/2016 9:59:04 PM

Action Type Old Value New Value
Added Reference

								
							
							
						
http://packetstormsecurity.com/files/136856/Apache-Struts-2.3.28-Dynamic-Method-Invocation-Remote-Code-Execution.html
Added Reference

								
							
							
						
http://www.rapid7.com/db/modules/exploit/linux/http/struts_dmi_exec

Modified Analysis 8/18/2016 11:25:04 AM

Action Type Old Value New Value
Changed Reference Type
http://packetstormsecurity.com/files/136856/Apache-Struts-2.3.28-Dynamic-Method-Invocation-Remote-Code-Execution.html No Types Assigned
http://packetstormsecurity.com/files/136856/Apache-Struts-2.3.28-Dynamic-Method-Invocation-Remote-Code-Execution.html Third Party Advisory, Exploit
Changed Reference Type
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html No Types Assigned
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html Third Party Advisory, Patch
Changed Reference Type
http://www.rapid7.com/db/modules/exploit/linux/http/struts_dmi_exec No Types Assigned
http://www.rapid7.com/db/modules/exploit/linux/http/struts_dmi_exec Third Party Advisory
Changed Reference Type
http://www.securityfocus.com/bid/91787 No Types Assigned
http://www.securityfocus.com/bid/91787 Third Party Advisory, VDB Entry
Changed Reference Type
http://www.securitytracker.com/id/1035665 No Types Assigned
http://www.securitytracker.com/id/1035665 Third Party Advisory, VDB Entry