CVE-2015-1831 – org.apache.struts.xwork:xwork-core

Package

Manager: maven
Name: org.apache.struts.xwork:xwork-core
Vulnerable Version: >=2.0.0 <2.3.20.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.06005 pctl0.90336

Details

Incomplete exclude pattern in Apache Struts The default exclude patterns (excludeParams) in Apache Struts 2.3.20 allow remote attackers to "compromise internal state of an application" via unspecified vectors. In Struts 2.3.20.1 a better set of exlude patterns was defined.

Metadata

Created: 2022-05-17T00:50:08Z
Modified: 2023-12-28T19:21:52Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-q2cg-xf9p-h457/GHSA-q2cg-xf9p-h457.json
CWE IDs: []
Alternative ID: GHSA-q2cg-xf9p-h457
Finding: F115
Auto approve: 1