CVE-2014-7809Cross-Site Request Forgery in Apache Struts

CWE-352Cross-Site Request ForgeryCWE-330Use of Insufficiently Random Values6 documents6 sources
Severity
6.8MEDIUMNVD
EPSS
7.5%
top 8.16%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apache Struts
Timeline
PublishedDec 10
Latest updateMay 14

Description

Apache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable values, which allows remote attackers to bypass the CSRF protection mechanism.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages1 packages

NVDapache/struts51 versions+50

🔴Vulnerability Details

3
GHSA
Cross-Site Request Forgery in Apache Struts2022-05-14
OSV
Cross-Site Request Forgery in Apache Struts2022-05-14
CVEList
CVE-2014-7809: Apache Struts 22014-12-10

📋Vendor Advisories

1
Red Hat
struts2: predictable generation of form submission token2014-12-08

💬Community

1
Bugzilla
CVE-2014-7809 struts2: predictable generation of form submission token2014-12-09
CVE-2014-7809 — Cross-Site Request Forgery in Apache | cvebase