CVE-2013-4310 – org.apache.struts:struts2-core

Package

Manager: maven
Name: org.apache.struts:struts2-core
Vulnerable Version: >=0 <2.3.15.3

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.09489 pctl0.92523

Details

Apache Struts2 Broken Access Control Vulnerability The Struts 2 action mapping mechanism supports the special parameter prefix action: which is intended to help with attaching navigational information to buttons within forms, under certain conditions this can be used to bypass security constraints. In Struts 2.3.15.3 the action mapping mechanism was changed to avoid circumventing security constraints. Two additional constants were introduced to steer behaviour of DefaultActionMapper: - struts.mapper.action.prefix.enabled - when set to false support for "action:" prefix is disabled, set to false by default - struts.mapper.action.prefix.crossNamespaces - when set to false, actions defined with "action:" prefix must be in the same namespace as current action

Metadata

Created: 2022-05-17T04:44:52Z
Modified: 2023-08-15T19:02:21Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-q5q8-jghf-3pm3/GHSA-q5q8-jghf-3pm3.json
CWE IDs: ["CWE-284"]
Alternative ID: GHSA-q5q8-jghf-3pm3
Finding: F039
Auto approve: 1