Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2011-5057 — Apache Struts vulnerability

CWE-2646 documents6 sources

Severity

5.0MEDIUMNVD

EPSS

56.3%

top 1.88%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Apache Struts

Timeline

PublishedJan 8

Latest updateMay 14

Description

Apache Struts 2.3.1.2 and earlier, 2.3.19-2.3.23, provides interfaces that do not properly restrict access to collections such as the session and request collections, which might allow remote attackers to modify run-time data values via a crafted parameter to an application that implements an affected interface, as demonstrated by the SessionAware, RequestAware, ApplicationAware, ServletRequestAware, ServletResponseAware, and ParameterAware interfaces. NOTE: the vendor disputes the significance …

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages1 packages

▶NVDapache/struts2.0.0 — 2.3.3

🔴Vulnerability Details

GHSA

GHSA-x5vg-p6mw-ffv4: Apache Struts 2↗2022-05-14

▶

CVEList

CVE-2011-5057: Apache Struts 2↗2012-01-08

▶

💥Exploits & PoCs

Exploit-DB

Apache Struts 2.0.9/2.1.8 - Session Tampering Security Bypass↗2011-12-07

▶

📋Vendor Advisories

Red Hat

struts: improper access restrictions to collections such as session and request↗2011-12-21

▶

💬Community

Bugzilla

CVE-2011-5057 struts: improper access restrictions to collections such as session and request↗2012-01-11

▶