CVE-2006-1547
published 2006-03-30CVE-2006-1547: ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9 with BeanUtils 1.7 allows remote attackers to cause a denial of service via a…
PriorityP268high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-07-21
Exploited in the wild
EPSS
54.63%
98.9th percentile
ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9 with BeanUtils 1.7 allows remote attackers to cause a denial of service via a multipart/form-data encoded form with a parameter name that references the public getMultipartRequestHandler method, which provides further access to elements in the CommonsMultipartRequestHandler implementation and BeanUtils.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | struts | < 1.2.9 | 1.2.9 |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit targets multipart/form-data encoded form submissions where the parameter name references the 'getMultipartRequestHandler' method — monitor HTTP requests with Content-Type: multipart/form-data containing parameter names that include 'multipartRequestHandler' ↗
- →Affected software versions: Apache Struts before 1.2.9 combined with BeanUtils 1.7 — flag any deployment still running these versions as vulnerable to this DoS ↗
- ·Vulnerability only manifests when ActionForm is used with BeanUtils 1.7; upgrading to Struts 1.2.9 or later resolves the issue ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:N/I:N/A:C
vulncheck7.5HIGH
cisa7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Apache Struts 1 ActionForm Denial-of-Service Vulnerability
cisa·2022-01-21·CVSS 7.5
CVE-2006-1547 [HIGH] Apache Struts 1 ActionForm Denial-of-Service Vulnerability
Vulnerability: Apache Struts 1 ActionForm Denial-of-Service Vulnerability
Affected: Apache Struts 1
ActionForm in Apache Struts versions before 1.2.9 with BeanUtils 1.7 contains a vulnerability that allows for denial-of-service (DoS).
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2006-1547
Remediation Due Date: 2022-07-21
Red Hat
security flaw
vendor_redhat·2006-03-22·CVSS 7.5
CVE-2006-1547 [HIGH] security flaw
security flaw
ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9 with BeanUtils 1.7 allows remote attackers to cause a denial of service via a multipart/form-data encoded form with a parameter name that references the public getMultipartRequestHandler method, which provides further access to elements in the CommonsMultipartRequestHandler implementation and BeanUtils.
VulDB
Apache Struts 1.2.7/1.2.8 denial of service (XFDB-25613 / SBV-24191)
vuldb·2026-04-22·CVSS 7.5
CVE-2006-1547 [HIGH] Apache Struts 1.2.7/1.2.8 denial of service (XFDB-25613 / SBV-24191)
A vulnerability, which was classified as problematic, has been found in Apache Struts 1.2.7/1.2.8. This issue affects some unknown processing. The manipulation leads to denial of service.
This vulnerability is traded as CVE-2006-1547. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.
It is advisable to upgrade the affected component.
GHSA
Improper Input Validation in Apache Struts
ghsa·2022-05-01
CVE-2006-1547 [HIGH] CWE-20 Improper Input Validation in Apache Struts
Improper Input Validation in Apache Struts
ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9 with BeanUtils 1.7 allows remote attackers to cause a denial of service via a multipart/form-data encoded form with a parameter name that references the public getMultipartRequestHandler method, which provides further access to elements in the CommonsMultipartRequestHandler implementation and BeanUtils.
OSV
Improper Input Validation in Apache Struts
osv·2022-05-01
CVE-2006-1547 [HIGH] Improper Input Validation in Apache Struts
Improper Input Validation in Apache Struts
ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9 with BeanUtils 1.7 allows remote attackers to cause a denial of service via a multipart/form-data encoded form with a parameter name that references the public getMultipartRequestHandler method, which provides further access to elements in the CommonsMultipartRequestHandler implementation and BeanUtils.
VulnCheck
Apache Struts 1 ActionForm Denial-of-Service Vulnerability
vulncheck·2006·CVSS 7.5
CVE-2006-1547 [HIGH] Apache Struts 1 ActionForm Denial-of-Service Vulnerability
Apache Struts 1 ActionForm Denial-of-Service Vulnerability
ActionForm in Apache Struts versions before 1.2.9 with BeanUtils 1.7 contains a vulnerability that allows for denial-of-service (DoS).
Affected: Apache Struts
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-07-21
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2006-1547 security flaw
bugzilla·2018-08-16·CVSS 7.5
CVE-2006-1547 [HIGH] CVE-2006-1547 security flaw
CVE-2006-1547 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9 with BeanUtils 1.7 allows remote attackers to cause a denial of service via a multipart/form-data encoded form with a parameter name that references the public getMultipartRequestHandler method, which provides further access to elements in the CommonsMultipartRequestHandler implementation and BeanUtils.
Bugzilla
CVE-2006-1546 Struts multiple issues (CVE-2006-1547, CVE-2006-1548)
bugzilla·2006-08-15·CVSS 7.5
CVE-2006-1546 [HIGH] CVE-2006-1546 Struts multiple issues (CVE-2006-1547, CVE-2006-1548)
CVE-2006-1546 Struts multiple issues (CVE-2006-1547, CVE-2006-1548)
Fixes needed for FC6
http://errata.devel.redhat.com/errata/showrequest.cgi?advisory=3594
-- Additional comment from [email protected] on 2006-05-03 11:41 EST --
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.
http://rhn.redhat.com/errata/RHSA-2006-0281.html
Bugzilla
CVE-2006-1546 Struts multiple issues (CVE-2006-1547, CVE-2006-1548)
bugzilla·2006-03-31·CVSS 7.5
CVE-2006-1546 [HIGH] CVE-2006-1546 Struts multiple issues (CVE-2006-1547, CVE-2006-1548)
CVE-2006-1546 Struts multiple issues (CVE-2006-1547, CVE-2006-1548)
+++ This bug was initially created as a clone of Bug #187542 +++
Struts 1.2.9 has been released wich fixes 3 security issues.
* CVE-2006-1546 Validation always skipped with Globals.CANCEL_KEY.
* CVE-2006-1547 DOS attack, application hack.
* CVE-2006-1548 XSS vulnerability in LookupDispatchAction.
http://struts.apache.org/struts-doc-1.2.9/userGuide/release-notes.html
This issue should also affect RHAPS1
Discussion:
Product reached end of lifecycle for security updates
Bugzilla
CVE-2006-1546 Struts multiple issues (CVE-2006-1547, CVE-2006-1548)
bugzilla·2006-03-31·CVSS 7.5
CVE-2006-1546 [HIGH] CVE-2006-1546 Struts multiple issues (CVE-2006-1547, CVE-2006-1548)
CVE-2006-1546 Struts multiple issues (CVE-2006-1547, CVE-2006-1548)
Struts 1.2.9 has been released wich fixes 3 security issues.
* CVE-2006-1546 Validation always skipped with Globals.CANCEL_KEY.
* CVE-2006-1547 DOS attack, application hack.
* CVE-2006-1548 XSS vulnerability in LookupDispatchAction.
http://struts.apache.org/struts-doc-1.2.9/userGuide/release-notes.html
This issue should also affect RHAPS1
Discussion:
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.
http://rhn.redhat.com/errata/RHSA-2006-0
http://issues.apache.org/bugzilla/show_bug.cgi?id=38534http://lists.suse.com/archive/suse-security-announce/2006-May/0004.htmlhttp://secunia.com/advisories/19493http://secunia.com/advisories/20117http://securitytracker.com/id?1015856http://struts.apache.org/struts-doc-1.2.9/userGuide/release-notes.htmlhttp://www.securityfocus.com/bid/17342http://www.vupen.com/english/advisories/2006/1205https://exchange.xforce.ibmcloud.com/vulnerabilities/25613http://issues.apache.org/bugzilla/show_bug.cgi?id=38534http://lists.suse.com/archive/suse-security-announce/2006-May/0004.htmlhttp://secunia.com/advisories/19493http://secunia.com/advisories/20117http://securitytracker.com/id?1015856http://struts.apache.org/struts-doc-1.2.9/userGuide/release-notes.htmlhttp://www.securityfocus.com/bid/17342http://www.vupen.com/english/advisories/2006/1205https://exchange.xforce.ibmcloud.com/vulnerabilities/25613https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2006-1547
2006-03-30
Published
2022-01-21
Added to CISA KEV
Exploited in the wild