Lucene search

K
jvnJapan Vulnerability NotesJVN:91383083
HistoryApr 10, 2015 - 12:00 a.m.

JVN#91383083: Seasar S2Struts vulnerable to input validation bypass

2015-04-1000:00:00
Japan Vulnerability Notes
jvn.jp
18

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.949

Percentile

99.3%

The Validator in Apache Struts 1.1 and later contains a function (MPV – Multi Page Validator) to efficiently define rules for input validation across multiple pages during screen transitions.
The MPV contains a vulnerability where input validation may be bypassed.
When the Apache Struts 1 Validator is used, the web application may be vulnerable even when the MPV is not used explicitly.

Impact

Input validation being bypassed may result in invalid data being entered into the database. Affects of the vulnerability depend on the application.

Solution

Apply an Update
Update to the latest version according to the information provided by the developer.

Products Affected

  • S2Struts 1.2.13 and earlier
  • S2Struts 1.3.2 and earlier

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.949

Percentile

99.3%