CVE-2015-0899
published 2016-07-04CVE-2015-0899: The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page…
PriorityP356high7.5CVSS 3.0
AVNACLPRNUINSUCNIHAN
EPSS
21.26%
97.3th percentile
The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter.
Affected
25 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| oracle | banking_platform | — | — |
| oracle | banking_platform | — | — |
| oracle | banking_platform | — | — |
| oracle | banking_platform | — | — |
| oracle | portal | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect HTTP POST requests where the 'page' parameter has been tampered with to a value lower than the expected field page number, bypassing MultiPageValidator input validation in Apache Struts 1. ↗
- →Authentication is not required to exploit this vulnerability; monitor for unauthenticated POST requests manipulating the 'page' parameter in Struts 1 multi-page form submissions. ↗
- →Successful exploitation can result in XSS payloads being stored and reflected via JSP files that directly reference form bean properties (e.g., username field); monitor for script tags in form field submissions. ↗
- ·The vulnerability exists in both ValidatorForm.java and DynaValidatorForm.java and will NOT be patched as Apache Struts 1 is End-Of-Life; detection/mitigation must be handled at the network/IPS layer. ↗
- ·The 'page' property value is read directly from the HTTP POST request; any application relying on client-supplied 'page' values for validator gating is vulnerable across Struts 1.1 through 1.3.10. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
ghsa7.5HIGH
osv7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
struts: Vulnerability in ActionForm allows unintended remote operations against components on server memory
vendor_redhat·2016-06-07·CVSS 7.5
CVE-2016-1181 [HIGH] struts: Vulnerability in ActionForm allows unintended remote operations against components on server memory
struts: Vulnerability in ActionForm allows unintended remote operations against components on server memory
ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of service (unexpected memory access) via a multipart request, a related issue to CVE-2015-0899.
Statement: This issue affects the version of struts shipped with Red Hat Enterprise Linux 5, which is currently in Extended Life Phase. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification https://access.redhat.com/security/updates/classification/ and the Red Hat Enterprise Linux Life Cycle https://access.redhat.
Red Hat
struts: Improper input validation in Validator
vendor_redhat·2016-06-07·CVSS 7.5
CVE-2016-1182 [HIGH] CWE-20 struts: Improper input validation in Validator
struts: Improper input validation in Validator
ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899.
Statement: This issue affects the version of struts shipped with Red Hat Enterprise Linux 5, which is currently in Extended Life Phase. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification https://access.redhat.com/security/updates/classification/ and the Red Hat Enterprise Linux Life Cycle https://access.redhat.com/support/policy/updates/errata/.
Package: struts (Red Hat Enterprise Linu
Red Hat
1: input validation bypass in MultiPageValidator
vendor_redhat·2015-03-30·CVSS 7.5
CVE-2015-0899 [HIGH] CWE-20 1: input validation bypass in MultiPageValidator
1: input validation bypass in MultiPageValidator
The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter.
Package: struts (Red Hat Enterprise Linux 5) - Will not fix
Package: struts (Red Hat JBoss Enterprise Web Server 1) - Will not fix
Package: struts (Red Hat JBoss Enterprise Web Server 2) - Not affected
Package: struts (Red Hat JBoss Operations Network 3) - Will not fix
Package: struts (Red Hat Satellite 5) - Not affected
OSV
Improper Input Validation in Apache Struts
osv·2022-05-14
CVE-2015-0899 [HIGH] Improper Input Validation in Apache Struts
Improper Input Validation in Apache Struts
The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter.
GHSA
Improper Input Validation in Apache Struts
ghsa·2022-05-14
CVE-2015-0899 [HIGH] CWE-20 Improper Input Validation in Apache Struts
Improper Input Validation in Apache Struts
The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter.
OSV
Improper Input Validation in Apache Struts
osv·2022-05-13·CVSS 7.5
CVE-2016-1181 [HIGH] Improper Input Validation in Apache Struts
Improper Input Validation in Apache Struts
ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of service (unexpected memory access) via a multipart request, a related issue to CVE-2015-0899.
OSV
Improper Input Validation in Apache Struts
osv·2022-05-13·CVSS 7.5
CVE-2016-1182 [HIGH] Improper Input Validation in Apache Struts
Improper Input Validation in Apache Struts
ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899.
GHSA
Improper Input Validation in Apache Struts
ghsa·2022-05-13·CVSS 7.5
CVE-2016-1182 [HIGH] CWE-20 Improper Input Validation in Apache Struts
Improper Input Validation in Apache Struts
ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899.
GHSA
Improper Input Validation in Apache Struts
ghsa·2022-05-13·CVSS 7.5
CVE-2016-1181 [HIGH] CWE-20 Improper Input Validation in Apache Struts
Improper Input Validation in Apache Struts
ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of service (unexpected memory access) via a multipart request, a related issue to CVE-2015-0899.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2016-1182 struts: Improper input validation in Validator
bugzilla·2016-06-07·CVSS 7.5
CVE-2016-1182 [HIGH] CVE-2016-1182 struts: Improper input validation in Validator
CVE-2016-1182 struts: Improper input validation in Validator
It was reported that The Apache Struts 1 Validator contains a vulnerability where input validation configurations (validation rules, error messages, etc.) may be modified. This occurs when ValidatorForm and ValidatorActionForm (including its subclasses) are in the session scope.
Affects Apache Struts 1 versions 1.0 through 1.3.10.
External References:
https://jvn.jp/en/jp/JVN65044642/
Discussion:
Created struts tracking bugs for this issue:
Affects: fedora-all [bug 1343541]
Affects: epel-7 [bug 1343542]
---
Seem a duplicate of CVE-2015-0899. Already fixed
---
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0899
---
struts-1.3.10-18.fc23 has been pushed to the Fedora 23 stable repository. If problems still persis
Bugzilla
CVE-2016-1181 struts: Vulnerability in ActionForm allows unintended remote operations against components on server memory
bugzilla·2016-06-07·CVSS 7.5
CVE-2016-1181 [HIGH] CVE-2016-1181 struts: Vulnerability in ActionForm allows unintended remote operations against components on server memory
CVE-2016-1181 struts: Vulnerability in ActionForm allows unintended remote operations against components on server memory
A vulnerability in Apache Struts 1 ActionForm allowing unintended remote operations against components on server memory, such as Servlets and ClassLoader, was found.
Affects Apache Struts versions 1.0 through 1.3.10
External References:
https://jvn.jp/en/jp/JVN03188560/
Discussion:
Created struts tracking bugs for this issue:
Affects: fedora-all [bug 1343541]
Affects: epel-7 [bug 1343542]
---
Seem a duplicate of CVE-2015-0899. Already fixed
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0899
---
Patch:
https://github.com/kawasima/struts1-forever/commit/eda3a79907ed8fcb0387a0496d0cb14332f250e8
---
struts-1.3.10-18.fc23 has been pushed to the Fedora 23
Bugzilla
CVE-2016-1181 CVE-2016-1182 struts: various flaws [epel-7]
bugzilla·2016-06-07·CVSS 7.5
CVE-2016-1181 [HIGH] CVE-2016-1181 CVE-2016-1182 struts: various flaws [epel-7]
CVE-2016-1181 CVE-2016-1182 struts: various flaws [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
[bug automatically created by: add-tracking-bugs]
Discussion:
Use th
Bugzilla
CVE-2016-1181 CVE-2016-1182 struts: various flaws [fedora-all]
bugzilla·2016-06-07·CVSS 7.5
CVE-2016-1181 [HIGH] CVE-2016-1181 CVE-2016-1182 struts: various flaws [fedora-all]
CVE-2016-1181 CVE-2016-1182 struts: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While o
Bugzilla
CVE-2015-0899 struts: Apache Struts 1: input validation bypass in MultiPageValidator [fedora-all]
bugzilla·2015-08-25·CVSS 7.5
CVE-2015-0899 [HIGH] CVE-2015-0899 struts: Apache Struts 1: input validation bypass in MultiPageValidator [fedora-all]
CVE-2015-0899 struts: Apache Struts 1: input validation bypass in MultiPageValidator [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple su
Bugzilla
CVE-2015-0899 struts: Apache Struts 1: input validation bypass in MultiPageValidator [epel-7]
bugzilla·2015-08-25·CVSS 7.5
CVE-2015-0899 [HIGH] CVE-2015-0899 struts: Apache Struts 1: input validation bypass in MultiPageValidator [epel-7]
CVE-2015-0899 struts: Apache Struts 1: input validation bypass in MultiPageValidator [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
epel-7 tracking bug for struts: see
Bugzilla
CVE-2015-0899 Apache Struts 1: input validation bypass in MultiPageValidator
bugzilla·2015-03-30·CVSS 7.5
CVE-2015-0899 [HIGH] CVE-2015-0899 Apache Struts 1: input validation bypass in MultiPageValidator
CVE-2015-0899 Apache Struts 1: input validation bypass in MultiPageValidator
The following flaw was found in Apache Struts 1:
The Validator in Apache Struts 1.1 and later contains a function to efficiently define rules for input validation across multiple pages during screen transitions. This function contains a vulnerability where input validation may be bypassed. When the Apache Struts 1 Validator is used, the web application may be vulnerable even when this function is not used explicitly.
Upstream advisory:
http://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000042.html
https://jvn.jp/en/jp/JVN86448949/index.html
Upstream patches:
http://en.sourceforge.jp/projects/terasoluna/wiki/StrutsPatch2-EN
Discussion:
While jbews-1 is affected by this issue, it's end of life was reached in Ju
Fortinet
The Analysis of Apache Struts 1 Form Field Input Validation Bypass (CVE-2015-0899)
blogs_fortinet·2017-10-25·CVSS 7.5
CVE-2015-0899 [HIGH] The Analysis of Apache Struts 1 Form Field Input Validation Bypass (CVE-2015-0899)
FORTIGUARD LABS THREAT RESEARCH
The Analysis of Apache Struts 1 Form Field Input Validation Bypass (CVE-2015-0899)
By Dehui Yin | October 25, 2017
Apache Struts 1 is a popularly used JAVA EE web application framework. It offers many kinds of validators to filter user input by using the Apache Common Validator library, which is both convenient and fast. However, a bug in Apache Struts can be used to easily bypass the input validation process, allowing an attacker to submit arbitrary dirty data to the database, possibly resulting in a cross-site scripting attack when the user views the JSP file that refers directly to the corrupted data.
This potential Input Validation Bypass vulnerability is caused by an error in both ValidatorForm.java and DynaValidatorForm.java when initializing the va
Fortinet
The Analysis of Apache Struts 1 ActionServlet Validator Bypass (CVE-2016-1182)
blogs_fortinet·2017-10-25·CVSS 8.2
CVE-2016-1182 [HIGH] The Analysis of Apache Struts 1 ActionServlet Validator Bypass (CVE-2016-1182)
FORTIGUARD LABS THREAT RESEARCH
The Analysis of Apache Struts 1 ActionServlet Validator Bypass (CVE-2016-1182)
By Dehui Yin | October 25, 2017
Apache Struts 1 ValidatorForm is a commonly used component in the JAVA EE Web Application that requires validated form fields input by a user, such as a login form, registration form, or other information form. By configuring the validation rules, Apache Struts can validate many different kinds of fields - username, email, credit card number, etc. However, a bug in Apache Struts 1 can be used to manipulate the property of ValidatorForm so as to modify the validation rules, or even worse, cause a denial of service or execute arbitrary code in the context of the Web Application.
This potential Input Validation Bypass or Denial Of Service vulnerabil
Fortinet
Apache Commons Collections Under Attack
blogs_fortinet·2016-02-04·CVSS 9.8
CVE-2015-4852 [CRITICAL] Apache Commons Collections Under Attack
FORTIGUARD LABS THREAT RESEARCH
Apache Commons Collections Under Attack
By Dehui Yin | February 04, 2016
Two months ago, a Java zero day vulnerability (CVE-2015-4852) that targeted Apache commons collections library was disclosed. This vulnerability is caused by an error when Java applications, which use Apache commons collections library, deserialize objects from untrusted network sources. Let’s take a look:
Our Fortinet IPS team immediately created a signature, "Apache.Commons.Collection.InvokerTransformer.Code.Execution", in order to protect our customers, and continues to monitor. Over the last 2 months, since creating the initial signature, we have seen it triggered on average, 400 times a day from 50 different FortiGates. This rate of alert is not very high, however, these alerts
http://jvn.jp/en/jp/JVN86448949/index.htmlhttp://jvndb.jvn.jp/jvndb/JVNDB-2015-000042http://www.debian.org/security/2016/dsa-3536http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.htmlhttp://www.securityfocus.com/bid/74423https://en.osdn.jp/projects/terasoluna/wiki/StrutsPatch2-ENhttps://security.netapp.com/advisory/ntap-20180629-0006/http://jvn.jp/en/jp/JVN86448949/index.htmlhttp://jvndb.jvn.jp/jvndb/JVNDB-2015-000042http://www.debian.org/security/2016/dsa-3536http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.htmlhttp://www.securityfocus.com/bid/74423https://en.osdn.jp/projects/terasoluna/wiki/StrutsPatch2-ENhttps://security.netapp.com/advisory/ntap-20180629-0006/
2016-07-04
Published