CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
90.6%
The Apache Sturts 1 ActionForm contains a vulnerability which allows unintended remote operations against components on server memory, such as Servlets and ClassLoader, when the following 2 conditions are met:
Condition 1:
When the following ActionForm (including its subclasses) are in the session scope, and multiple threads that process the same session can access the same ActionForm instance
ActionForm (not including claesses that implement DynaBean interface, such as DynaActionForm and its subclasses) ValidatingActionForm ValidatorForm ValidatorActionForm Condition 2:
Can process multi-part requests
(This condition applies whether or not the web application uses multi-part forms)
Effects vary depending on the web application. For example, a denial-of-service (DoS) may occur.
Also, unintended operations on the ClassLoader by a remote attacker may lead to information being stolen or arbitrary code execution on the server where Apache Struts is running.
As of April 5, 2013, Apache Struts 1 is End-Of-Life (EOL).
For information on countermeasures and patches, refer to the information provided by developers that use Apache Struts 1.
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
90.6%