Apache Struts2 Broken Access Control Vulnerability

2022-05-1704:44:52

Google

osv.dev

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

0.015 Low

EPSS

Percentile

86.6%

JSON

The Struts 2 action mapping mechanism supports the special parameter prefix action: which is intended to help with attaching navigational information to buttons within forms, under certain conditions this can be used to bypass security constraints.

In Struts 2.3.15.3 the action mapping mechanism was changed to avoid circumventing security constraints. Two additional constants were introduced to steer behaviour of DefaultActionMapper:

struts.mapper.action.prefix.enabled - when set to false support for “action:” prefix is disabled, set to false by default
struts.mapper.action.prefix.crossNamespaces - when set to false, actions defined with “action:” prefix must be in the same namespace as current action

CPENameOperatorVersion
org.apache.struts:struts2-coreeq2.3.15
org.apache.struts:struts2-coreeq2.3.4
org.apache.struts:struts2-coreeq2.0.5
org.apache.struts:struts2-coreeq2.1.2
org.apache.struts:struts2-coreeq2.0.11
org.apache.struts:struts2-coreeq2.2.1
org.apache.struts:struts2-coreeq2.1.6
org.apache.struts:struts2-coreeq2.0.9
org.apache.struts:struts2-coreeq2.3.1
org.apache.struts:struts2-coreeq2.3.7

Name	Operator	Version
org.apache.struts:struts2-core	eq	2.3.15
org.apache.struts:struts2-core	eq	2.3.4
org.apache.struts:struts2-core	eq	2.0.5
org.apache.struts:struts2-core	eq	2.1.2
org.apache.struts:struts2-core	eq	2.0.11
org.apache.struts:struts2-core	eq	2.2.1
org.apache.struts:struts2-core	eq	2.1.6
org.apache.struts:struts2-core	eq	2.0.9
org.apache.struts:struts2-core	eq	2.3.1
org.apache.struts:struts2-core	eq	2.3.7