CVE-2012-4386 – org.apache.struts:struts2-core

Package

Manager: maven
Name: org.apache.struts:struts2-core
Vulnerable Version: >=2.0.0 <2.3.4.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

EPSS: 0.08301 pctl0.91924

Details

Cross-Site Request Forgery in Apache Struts The token check mechanism in Apache Struts 2.0.0 through 2.3.4 does not properly validate the token name configuration parameter, which allows remote attackers to perform cross-site request forgery (CSRF) attacks by setting the token name configuration parameter to a session attribute.

Metadata

Created: 2022-05-17T01:42:17Z
Modified: 2022-11-03T19:12:34Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-2rvh-q539-q33v/GHSA-2rvh-q539-q33v.json
CWE IDs: ["CWE-352"]
Alternative ID: GHSA-2rvh-q539-q33v
Finding: F007
Auto approve: 1