You are here

Apache Struts2 Vulnerabilities S2-031, S2-032

S2-031, S2-032, CVE-2016-3081, CVE-2016-3082

Two Apache Struts2 vulnerabilities have been found which may allow remote code execution [1,2].

  • S2-031 Remote Code Execution can be performed via method: prefix when Dynamic Method Invocation is enabled [1]
  • S2-032 XSLTResult allows for the location of a stylesheet being passed as a request parameter. In some circumstances this can be used to inject remotely executable code [2]

Affected versions:

  • S2-031: Struts 2.0.0 - Struts Struts 2.3.28 (except and
  • S2-032: Struts 2.3.20 - Struts Struts 2.3.28 (except and

If you are using a vulnerable Apache Struts2 version on a back-end application we strongly recommend to update Struts2 to version or higher.

Alternatively, S2-032 can be prevented by disabling Dynamic Method Invocation or by configuring a custom Deny Rule on Airlock WAF with the parameter value pattern:


Case-sensitive = OFF
Invert = OFF

S2-031 can be prevented by implementing your own XSLTResult based on code of the versions Struts, Struts or Struts

Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
Back-ends may be vulnerable, see resolution