cbcvebase.
CVE-2011-5057
published 2012-01-08

CVE-2011-5057: Apache Struts 2.3.1.2 and earlier, 2.3.19-2.3.23, provides interfaces that do not properly restrict access to collections such as the session and request…

PriorityP342medium5CVSS 2.0
AVNACLAuNCNIPAN
EXPLOIT
EPSS
28.63%
97.9th percentile
Apache Struts 2.3.1.2 and earlier, 2.3.19-2.3.23, provides interfaces that do not properly restrict access to collections such as the session and request collections, which might allow remote attackers to modify run-time data values via a crafted parameter to an application that implements an affected interface, as demonstrated by the SessionAware, RequestAware, ApplicationAware, ServletRequestAware, ServletResponseAware, and ParameterAware interfaces. NOTE: the vendor disputes the significance of this report because of an "easy work-around in existing apps by configuring the interceptor."

Affected

1 ranges
VendorProductVersion rangeFixed in
apachestruts>= 2.0.0 < 2.3.32.3.3

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://www.example.com/SomeAction.action?session.somekey=someValue
  • Detect HTTP requests where query string parameters are prefixed with 'session.' — this pattern indicates an attempt to tamper with the Struts session collection via a crafted parameter.
  • Monitor for crafted parameters targeting Struts collection namespaces (session, request, application) in HTTP requests to .action endpoints, which may indicate exploitation of SessionAware, RequestAware, ApplicationAware, ServletRequestAware, ServletResponseAware, or ParameterAware interfaces.
  • ·The vendor disputes the severity of this vulnerability, noting it can be mitigated by configuring the interceptor in existing applications — detection/blocking may be achievable at the interceptor configuration level rather than requiring patching.
  • ·Affected versions span two distinct ranges: 2.3.1.2 and earlier, AND 2.3.19–2.3.23 — ensure version checks cover both ranges when scoping detection or remediation.
  • ·struts2-core JARs may be present in source packages of Red Hat products (Fuse Service Works 6.0.0, Single Sign On 7.3.0+) due to a Google Guice import — scan source trees with 'find . -name struts2*.jar' to identify exposure.

CVSS provenance

nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.