Lucene search

Japan Vulnerability NotesJVN:45093481

HistoryJun 20, 2016 - 12:00 a.m.

JVN#45093481: Multiple vulnerabilities in Apache Struts 2

2016-06-2000:00:00

Japan Vulnerability Notes

jvn.jp

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.009

Percentile

82.9%

JSON

Apache Struts 2 provided by the Apache Software Foundation is a software framework for creating web applications in Java. Web applications that are developed using Apache Struts 2 contain multiple vulnerabilities listed below.

Cross-site request forgery (S2-038) - CVE-2016-4430

Version	Vector	Score
CVSS v3	CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N	Base Score: 3.1
CVSS v2	AV:N/AC:M/Au:N/C:N/I:P/A:N	Base Score: 4.3

Validation bypass in Getter method (S2-039) - CVE-2016-4433

Version	Vector	Score
CVSS v3	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L	Base Score: 5.6
CVSS v2	AV:N/AC:M/Au:N/C:P/I:P/A:P	Base Score: 6.8

Input validation bypass (S2-040) - CVE-2016-4431

Version	Vector	Score
CVSS v3	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L	Base Score: 5.6
CVSS v2	AV:N/AC:M/Au:N/C:P/I:P/A:P	Base Score: 6.8

Impact

An unauthenticated remote attacker may redirect a user to unvalidated locations, store a crafted date, or lead a user to perform unintended operations.

Solution

Update the Software
Update to the latest version according to the information provided by the developer.

Products Affected

Apache Struts 2.3.20 to 2.3.28.1
Affects of this vulnearbility to Apache Struts 1 is unknown.
As of April 5, 2013, Apache Software Foundation has announced that Apache Strtus 1 is no longer developed or supported.