CVE-2018-11776
Published: 22 August 2018
Summary
CVE-2018-11776 is a high-severity an unspecified weakness vulnerability in Oracle Mysql Enterprise Monitor. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Apache Struts versions 2.3 through 2.3.34 and 2.5 through 2.5.16 contain a remote code execution vulnerability that manifests when the alwaysSelectFullNamespace option is enabled, either directly or via plugins such as the Convention Plugin. The flaw occurs when action results lack an explicit namespace while an ancestor package uses no namespace or a wildcard, and an analogous condition exists for url tags that omit both value and action attributes under the same package configuration.
An unauthenticated remote attacker can trigger the issue over the network by supplying crafted requests that satisfy the namespace preconditions, resulting in arbitrary code execution with high impact to confidentiality, integrity, and availability. Exploitation requires high attack complexity according to the CVSS 8.1 rating and does not depend on user interaction or privileges.
Public advisories referenced for this CVE, including those published by Oracle, direct administrators to apply vendor-supplied patches that address the namespace handling logic in the affected Struts releases.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2018-0582
Vulnerability details
Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same…
more
time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the vendor patches that correct the namespace-handling logic described in the CVE.
Mandates validation of untrusted input (namespace, action, and url-tag parameters) that the attacker manipulates to trigger RCE.
Requires explicit, non-wildcard namespace settings that eliminate the configuration precondition needed for exploitation.