Описание
ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| libstruts1.2-java | removed | package | ||
| libstruts1.2-java | no-dsa | wheezy | package |
Примечания
https://jvn.jp/en/jp/JVN65044642/
Two conditions must be met to exploit this vulnerability
condition one is already fixed in CVE-2015-0899, so everything is fine
condition two can be fixed by the following patch:
https://github.com/kawasima/struts1-forever/commit/eda3a79907ed8fcb0387a0496d0cb14332f250e8
but as this completely deactivates multipart requests, this should not be generally applied
EPSS
Связанные уязвимости
ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899.
ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899.
ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899.
Уязвимость программной платформы Apache Struts, позволяющая нарушителю вызвать отказ в обслуживании или провести XSS-атаки
EPSS