CVE-2016-1182

NameCVE-2016-1182
DescriptionActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libstruts1.2-javasource(unstable)(unfixed)medium

Notes

[wheezy] - libstruts1.2-java <no-dsa> (basically fixed in CVE-2015-0899)
https://jvn.jp/en/jp/JVN65044642/
Two conditions must be met to exploit this vulnerability
condition one is already fixed in CVE-2015-0899, so everything is fine
condition two can be fixed by the following patch:
https://github.com/kawasima/struts1-forever/commit/eda3a79907ed8fcb0387a0496d0cb14332f250e8
but as this completely deactivates multipart requests, this should not be generally applied

Search for package or bug name: Reporting problems