vulnerability

Apache Struts: S2-032 (CVE-2016-3081): Security updates available for Apache Struts

Try Surface Command

Back to search

Severity

CVSS

(AV:N/AC:M/Au:N/C:C/I:C/A:C)

Published

Apr 26, 2016

Added

Jun 27, 2017

Modified

Mar 27, 2026

Description

Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.

Solutions

apache-struts-upgrade-2_3_20_3apache-struts-upgrade-2_3_24_3apache-struts-upgrade-2_3_28_1

References

CVE-2016-3081
https://attackerkb.com/topics/CVE-2016-3081
CWE-77
EUVD-EUVD-2022-3161
https://cwiki.apache.org/confluence/display/WW/S2-032
https://euvd.enisa.europa.eu/vulnerability/EUVD-2022-3161

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report