[Japanese]

JVNDB-2016-000097

Apache Struts 1 vulnerable to input validation bypass

Overview

The Apache Struts 1 Validator contains a vulnerability where input validation configurations (validation rules, error messages, etc.) may be modified.
This occurs when the following ActionForm (including its subclasses) are in the session scope.
* ValidatorForm
* ValidatorActionForm
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 4.8 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: Low
CVSS V2 Severity:
Base Metrics 5.8 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products


Apache Software Foundation
  • Apache Struts versions 1.0 through 1.3.10

Impact

Effects vary depending on the web application. For example, cross-site scripting attacks or denial-of-service (DoS) attacks may be possible.
Solution

As of April 5, 2013, Apache Struts 1 is End-Of-Life (EOL).
For information on countermeasures and patches, refer to the information provided by developers that use Apache Struts 1.
Vendor Information

Apache Software Foundation Oracle Corporation Ricoh Co., Ltd Red Hat, Inc. NTT DATA FUJITSU
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2016-1182
References

  1. JVN : JVN#65044642
  2. National Vulnerability Database (NVD) : CVE-2016-1182
  3. Related document : Fixed CVE-2016-1181 and CVE-2016-1182
Revision History

  • [2016/06/07]
      Web page was published
    [2016/08/04]
      Vendor Information : Contents were added
      References : Contents were added
    [2016/12/05]
      Vendor Information : Content was added

Date Public2016/06/07
Date First Published2016/06/07
Date Last Updated2016/12/05