Apache Struts 2.0.x < 2.0.12 / 2.1.x < 2.1.6 Directory Traversal Vulnerability (S2-004)

medium Nessus Plugin ID 128766


A web application running on the remote host uses a Java framework that is affected by a directory traversal vulnerability.


The version of Apache Struts running on the remote host is 2.0.x prior to 2.0.12 or 2.1.x prior to 2.1.6. It is, therefore, affected by a directory traversal vulnerability in FilterDispatcher (in 2.0) and DefaultStaticContentLoader (in 2.1) due to inadequate restrictions. A remote, unauthenticated attacker can exploit this to traverse the directory structure and download arbitrary files.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.


Upgrade to Apache Struts version 2.0.12 / 2.1.6 or later

See Also


Plugin Details

Severity: Medium

ID: 128766

File Name: struts_2_1_6.nasl

Version: 1.4

Type: combined

Agent: windows, macosx, unix

Family: Misc.

Published: 9/13/2019

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

CVSS Score Rationale: Directory traversal


Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: manual


Risk Factor: Medium

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Vulnerability Information

CPE: cpe:/a:apache:struts

Patch Publication Date: 6/22/2007

Vulnerability Publication Date: 6/22/2008