Cyber Resilience

CVE-2018-11776

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 22 August 2018

Published
22 August 2018
Modified
27 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9443 100.0th percentile
Risk Priority 93 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-11776 is a high-severity an unspecified weakness vulnerability in Oracle Mysql Enterprise Monitor. Its CVSS base score is 8.1 (High).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Apache Struts versions 2.3 through 2.3.34 and 2.5 through 2.5.16 contain a remote code execution vulnerability that manifests when the alwaysSelectFullNamespace option is enabled, either directly or via plugins such as the Convention Plugin. The flaw occurs when action results lack an explicit namespace while an ancestor package uses no namespace or a wildcard, and an analogous condition exists for url tags that omit both value and action attributes under the same package configuration.

An unauthenticated remote attacker can trigger the issue over the network by supplying crafted requests that satisfy the namespace preconditions, resulting in arbitrary code execution with high impact to confidentiality, integrity, and availability. Exploitation requires high attack complexity according to the CVSS 8.1 rating and does not depend on user interaction or privileges.

Public advisories referenced for this CVE, including those published by Oracle, direct administrators to apply vendor-supplied patches that address the namespace handling logic in the affected Struts releases.

EU & UK References

Vulnerability details

Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same…

more

time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
struts
2.0.4 — 2.3.35 · 2.5.0 — 2.5.17
netapp
active iq unified manager
≥ 7.3 · ≥ 9.5
netapp
oncommand insight
all versions
netapp
oncommand workflow automation
all versions
netapp
snapcenter
all versions
oracle
communications policy management
≤ 12.5.0
oracle
enterprise manager base platform
13.3.0.0, 13.4.0.0
oracle
mysql enterprise monitor
≤ 3.4.9.4237 · 4.0.0 — 4.0.6.5281 · 8.0.0 — 8.0.2.8191

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor patches that correct the namespace-handling logic described in the CVE.

prevent

Mandates validation of untrusted input (namespace, action, and url-tag parameters) that the attacker manipulates to trigger RCE.

prevent

Requires explicit, non-wildcard namespace settings that eliminate the configuration precondition needed for exploitation.

References