CVE-2018-11776 Scanner

Apache Struts is a widely-used open-source framework for developing enterprise-level Java web applications. It provides a set of APIs for building complex web applications, while also facilitating the MVC (Model View Controller) architecture. Many organizations prefer Apache Struts as it helps in reducing application development time, improving application security, and providing a highly flexible system for developers. With the increased adoption of Apache Struts in various industries, it is essential to ensure the software is secure.

Recently, a serious vulnerability, CVE-2018-11776, was detected in Apache Struts 2.3 to 2.3.34 and 2.5 to 2.5.16. This flaw affects systems wherein 'alwaysSelectFullNamespace' is enabled or set to 'true,' which happens either by the user or by a plugin such as the Convention Plugin. The vulnerability is in the results used without namespace and is related to its upper package without a namespace or a wildcard namespace. It is also present when using URL tags without a value and action set and is related to its upper package without a namespace or a wildcard namespace.

Exploiting the CVE-2018-11776 vulnerability can cause severe consequences as it allows an attacker to execute arbitrary code remotely. When exploited, attackers can gain complete control of the affected system and obtain sensitive information, such as passwords, credit card details, and other confidential data. The vulnerability can be exploited by sending a specially crafted HTTP request to the affected server, which allows attackers to execute arbitrary code remotely.

In conclusion, ensuring that your digital assets are secure is of utmost importance in today's digital age. Securityforeveryone.com is a platform that offers advanced security features to help its clients stay ahead of potential threats and vulnerabilities. With the help of Securityforeveryone.com, clients can easily and quickly learn about vulnerabilities in their digital assets and take necessary precautions to keep their assets secure. By coupling Securityforeveryone.com with the suggested precautions outlined above, users can rest assured their digital assets are safe and sound.

REFERENCES

• http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-005.txt
• http://www.oracle.com/technetwork/security-advisory/alert-cve-2018-11776-5072787.html
• http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
• http://www.securityfocus.com/bid/105125
• http://www.securitytracker.com/id/1041547
• http://www.securitytracker.com/id/1041888
• https://cwiki.apache.org/confluence/display/WW/S2-057
• https://github.com/hook-s3c/CVE-2018-11776-Python-PoC
• https://lgtm.com/blog/apache_struts_CVE-2018-11776
• https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E
• https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0012
• https://security.netapp.com/advisory/ntap-20180822-0001/
• https://security.netapp.com/advisory/ntap-20181018-0002/
• https://www.exploit-db.com/exploits/45260/
• https://www.exploit-db.com/exploits/45262/
• https://www.exploit-db.com/exploits/45367/
• https://www.oracle.com/security-alerts/cpujul2020.html
• https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html