Apache Struts

{{Short description|Open-source web application framework}}

{{for|the predecessor of Apache Struts 2|Apache Struts 1}}

{{Infobox software

| name = Apache Struts 2

| logo = File:Apache Struts 2 logo.svg

| developer = Apache Software Foundation

| released = {{Start date and age|2006|10|10}}

| latest release version = 7.0.3

| latest release date = {{Start date and age|2025|03|07}}{{ cite web | url=https://github.com/apache/struts/releases/tag/STRUTS_7_0_3 |title=Struts 7.0.3 | access-date=16 March 2025}}

| replaces = Apache Struts 1

| operating system = Cross-platform

| programming language = Java

| platform = Cross-platform (JVM)

| genre = Web framework

| license = Apache License 2.0

| website = {{Official URL}}

}}

Apache Struts 2 is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model–view–controller (MVC) architecture. The WebWork framework spun off from Apache Struts 1 aiming to offer enhancements and refinements while retaining the same general architecture of the original Struts framework. In December 2005, it was announced that WebWork 2.2 was adopted as Apache Struts 2, which reached its first full release in February 2007.[http://struts.apache.org/release/2.2.x/ About Apache Struts 2] {{webarchive |url=https://web.archive.org/web/20140114170139/http://struts.apache.org/release/2.2.x/ |date=January 14, 2014 }}

Struts 2 has a history of critical security bugs,{{cite web |url=https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-6117/Apache-Struts.html |title=Apache Struts : List of security vulnerabilities |website=cvedetails.com |access-date=October 2, 2017}} many tied to its use of OGNL technology;{{cite web |url=https://community.saas.hpe.com/t5/Security-Research/Struts-2-OGNL-Expression-Injections/ba-p/288881#.WdL6ca2ZNxw |archive-url=https://web.archive.org/web/20171003124645/https://community.saas.hpe.com/t5/Security-Research/Struts-2-OGNL-Expression-Injections/ba-p/288881#.WdL6ca2ZNxw |url-status=dead |archive-date=October 3, 2017 |title=Struts 2: OGNL Expression Injections |first=Alvaro |last=Munoz |website=HPE.com |date=January 14, 2014 |access-date=October 2, 2017 }} some vulnerabilities can lead to arbitrary code execution. In October 2017, it was reported that failure by Equifax to address a Struts 2 vulnerability advised in March 2017 was later exploited in the data breach that was disclosed by Equifax in September 2017.{{cite web |url=https://www.theregister.co.uk/2017/10/02/equifax_ceo_richard_smith_congressional_testimony/?mt=1506988904204 |title=Equifax couldn't find or patch vulnerable Struts implementations |first=Richard |last=Chirgwin |website=The Register |date=October 2, 2017 |access-date=October 2, 2017}}{{cite web |url=https://arstechnica.com/information-technology/2017/10/a-series-of-delays-and-major-errors-led-to-massive-equifax-breach/ |title=A series of delays and major errors led to massive Equifax breach |first=Dan |last=Goodin |website=Ars Technica |date=October 2, 2017 |access-date=October 2, 2017}}