CVE-2011-5057
published 2012-01-08CVE-2011-5057: Apache Struts 2.3.1.2 and earlier, 2.3.19-2.3.23, provides interfaces that do not properly restrict access to collections such as the session and request…
PriorityP342medium5CVSS 2.0
AVNACLAuNCNIPAN
EXPLOIT
EPSS
28.63%
97.9th percentile
Apache Struts 2.3.1.2 and earlier, 2.3.19-2.3.23, provides interfaces that do not properly restrict access to collections such as the session and request collections, which might allow remote attackers to modify run-time data values via a crafted parameter to an application that implements an affected interface, as demonstrated by the SessionAware, RequestAware, ApplicationAware, ServletRequestAware, ServletResponseAware, and ParameterAware interfaces. NOTE: the vendor disputes the significance of this report because of an "easy work-around in existing apps by configuring the interceptor."
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | struts | >= 2.0.0 < 2.3.3 | 2.3.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect HTTP requests where query string parameters are prefixed with 'session.' — this pattern indicates an attempt to tamper with the Struts session collection via a crafted parameter. ↗
- →Monitor for crafted parameters targeting Struts collection namespaces (session, request, application) in HTTP requests to .action endpoints, which may indicate exploitation of SessionAware, RequestAware, ApplicationAware, ServletRequestAware, ServletResponseAware, or ParameterAware interfaces. ↗
- ·The vendor disputes the severity of this vulnerability, noting it can be mitigated by configuring the interceptor in existing applications — detection/blocking may be achievable at the interceptor configuration level rather than requiring patching. ↗
- ·Affected versions span two distinct ranges: 2.3.1.2 and earlier, AND 2.3.19–2.3.23 — ensure version checks cover both ranges when scoping detection or remediation. ↗
- ·struts2-core JARs may be present in source packages of Red Hat products (Fuse Service Works 6.0.0, Single Sign On 7.3.0+) due to a Google Guice import — scan source trees with 'find . -name struts2*.jar' to identify exposure. ↗
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
struts: improper access restrictions to collections such as session and request
vendor_redhat·2011-12-21·CVSS 5.0
CVE-2011-5057 [MEDIUM] struts: improper access restrictions to collections such as session and request
struts: improper access restrictions to collections such as session and request
Apache Struts 2.3.1.2 and earlier, 2.3.19-2.3.23, provides interfaces that do not properly restrict access to collections such as the session and request collections, which might allow remote attackers to modify run-time data values via a crafted parameter to an application that implements an affected interface, as demonstrated by the SessionAware, RequestAware, ApplicationAware, ServletRequestAware, ServletResponseAware, and ParameterAware interfaces. NOTE: the vendor disputes the significance of this report because of an "easy work-around in existing apps by configuring the interceptor."
Statement: A previous statement by Red Hat related to this CVE, prior to August 2019, said that Apache Struts 2 is not in
GHSA
GHSA-x5vg-p6mw-ffv4: Apache Struts 2
ghsa_unreviewed·2022-05-14
CVE-2011-5057 [MEDIUM] GHSA-x5vg-p6mw-ffv4: Apache Struts 2
Apache Struts 2.3.1.2 and earlier, 2.3.19-2.3.23, provides interfaces that do not properly restrict access to collections such as the session and request collections, which might allow remote attackers to modify run-time data values via a crafted parameter to an application that implements an affected interface, as demonstrated by the SessionAware, RequestAware, ApplicationAware, ServletRequestAware, ServletResponseAware, and ParameterAware interfaces. NOTE: the vendor disputes the significance of this report because of an "easy work-around in existing apps by configuring the interceptor."
No detection rules found.
http://codesecure.blogspot.com/2011/12/struts-2-session-tampering-via.htmlhttp://secunia.com/advisories/47109https://issues.apache.org/jira/browse/WW-2264https://issues.apache.org/jira/browse/WW-3631http://codesecure.blogspot.com/2011/12/struts-2-session-tampering-via.htmlhttp://secunia.com/advisories/47109https://issues.apache.org/jira/browse/WW-2264https://issues.apache.org/jira/browse/WW-3631
2012-01-08
Published