Apache Struts 2.x < Request Parameter 'top' Object Access Handling Remote Manipulation

Medium Nessus Plugin ID 88714


The remote Windows host contains a web application that uses a Java framework that is affected by a remote manipulation vulnerability.


The version of Apache Struts installed on the remote Windows host is version 2.x prior to It is, therefore, affected by a remote manipulation vulnerability due to incorrect handling of the 'top' object. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to manipulate internal components and container settings.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.


Upgrade to Apache Struts version or later. Alternatively, apply the workaround referenced in the vendor advisory.

See Also


Plugin Details

Severity: Medium

ID: 88714

File Name: struts_2_3_24_1_win_local.nasl

Version: $Revision: 1.5 $

Type: local

Agent: windows

Family: Windows

Published: 2016/02/12

Modified: 2016/03/28

Dependencies: 73943

Risk Information

Risk Factor: Medium


Base Score: 5

Temporal Score: 4.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

Temporal Vector: CVSS2#E:F/RL:OF/RC:ND

Vulnerability Information

CPE: cpe:/a:apache:struts

Required KB Items: installed_sw/Apache Struts, Settings/ParanoidReport

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2015/09/22

Vulnerability Publication Date: 2015/09/22

Reference Information

CVE: CVE-2015-5209

BID: 82550

OSVDB: 127949