CVE-2016-1181 — Improper Input Validation in Apache Struts

CWE-20 — Improper Input Validation10 documents7 sources

Severity

8.1HIGHNVD

CNA7.5GHSA7.5OSV7.5

EPSS

9.4%

top 7.20%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Struts Oracle Banking Platform Oracle Portal

Timeline

PublishedJul 4

Latest updateMay 13

Description

ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of service (unexpected memory access) via a multipart request, a related issue to CVE-2015-0899.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages3 packages

▶NVDapache/struts20 versions+19

▶NVDoracle/portal11.1.1.6

▶NVDoracle/banking_platform4 versions+3

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

Improper Input Validation in Apache Struts↗2022-05-13

▶

GHSA

Improper Input Validation in Apache Struts↗2022-05-13

▶

CVEList

CVE-2016-1181: ActionServlet↗2016-07-04

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Applications Risk Matrix: MSS Integration Cartridge (Apache Struts 1) — CVE-2016-1181↗2020-07-15

▶

Oracle

Oracle Oracle Retail Applications Risk Matrix: Dataset Component (Struts1) — CVE-2016-1181↗2020-01-15

▶

Red Hat

struts: Vulnerability in ActionForm allows unintended remote operations against components on server memory↗2016-06-07

▶

💬Community

Bugzilla

CVE-2016-1181 struts: Vulnerability in ActionForm allows unintended remote operations against components on server memory↗2016-06-07

▶

Bugzilla

CVE-2016-1181 CVE-2016-1182 struts: various flaws [epel-7]↗2016-06-07

▶

Bugzilla

CVE-2016-1181 CVE-2016-1182 struts: various flaws [fedora-all]↗2016-06-07

▶