Apache Struts – Dynamic Method Invocation – Remote Code Execution
by CIRT Team
CVE-2016-3081: Apache Struts 2.x before 184.108.40.206, 2.3.24.x before 220.127.116.11 and 2.3.28.x before 18.104.22.168, when Dynamic Method Invocation is enabled allows remote attackers to execute arbitrary code via method: prefix, related to chained expressions.
Impact: Successfully exploiting this issue may allow an attacker to execute arbitrary code in the context of the affected application. Failed exploit attempts may cause a denial-of-service condition.
Mitigation: Vendor has released patch version.