{"id":"CVE-2016-4433","details":"Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request.","aliases":["GHSA-wm8w-qp2f-728q"],"modified":"2026-04-10T03:52:21.116305Z","published":"2016-07-04T22:59:07.537Z","references":[{"type":"WEB","url":"http://www.securityfocus.com/bid/91282"},{"type":"ADVISORY","url":"http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html"},{"type":"ADVISORY","url":"https://struts.apache.org/docs/s2-039.html"},{"type":"ADVISORY","url":"http://jvn.jp/en/jp/JVN45093481/index.html"},{"type":"ADVISORY","url":"http://jvndb.jvn.jp/jvndb/JVNDB-2016-000112"},{"type":"ADVISORY","url":"http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009282"},{"type":"ADVISORY","url":"http://www-01.ibm.com/support/docview.wss?uid=swg21987854"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1348251"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/struts","events":[{"introduced":"0"},{"last_affected":"0320310406f6b11cfd235d7a9b866cf1de483a1e"},{"introduced":"0"},{"last_affected":"a9974eec5689a7113a6fb1e2096252f0935064dd"},{"introduced":"0"},{"last_affected":"bbbf43ec59e7bef3b07e9065dc9784c18a95d58b"},{"introduced":"0"},{"last_affected":"925741ad1e8e48c7a6d687fe02d3fdb6386eb64c"},{"introduced":"0"},{"last_affected":"7a9863169f7d981be0d2d57437974ae2cc0c8bd3"},{"introduced":"0"},{"last_affected":"36b6fff05cd4a17f75b091c0edd52e0c1e65ec06"},{"introduced":"0"},{"last_affected":"0ac8932aa3a1b28a8f950863c17165cdc63b1474"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.3.20"},{"introduced":"0"},{"last_affected":"2.3.20.1"},{"introduced":"0"},{"last_affected":"2.3.20.3"},{"introduced":"0"},{"last_affected":"2.3.24"},{"introduced":"0"},{"last_affected":"2.3.24.1"},{"introduced":"0"},{"last_affected":"2.3.24.3"},{"introduced":"0"},{"last_affected":"2.3.28"}]}}],"versions":["STRUTS_2_3_20","STRUTS_2_3_20_1","STRUTS_2_3_20_2","STRUTS_2_3_20_3","STRUTS_2_3_24","STRUTS_2_3_24_1","STRUTS_2_3_24_2","STRUTS_2_3_24_3","STRUTS_2_3_25","STRUTS_2_3_26","STRUTS_2_3_27","STRUTS_2_3_28"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-4433.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}