CVE-2015-5209 – org.apache.struts:struts2-core

Package

Manager: maven
Name: org.apache.struts:struts2-core
Vulnerable Version: >=0 <2.3.24.1

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.03665 pctl0.87423

Details

Special top object can be used to access Struts' internals ValueStack defines special top object which represents root of execution context. It can be used to manipulate Struts' internals or can be used to affect container's settings. Applying better regex which includes pattern to exclude request parameters trying to use top object. This issue was patched in Struts 2.3.24.1.

Metadata

Created: 2022-05-14T03:15:08Z
Modified: 2022-11-03T22:43:38Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-4qgj-9mvg-3929/GHSA-4qgj-9mvg-3929.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-4qgj-9mvg-3929
Finding: F184
Auto approve: 1