CVE-2016-1182 — Improper Input Validation in Apache Struts

CWE-20 — Improper Input Validation9 documents7 sources

Severity

8.2HIGHNVD

CNA7.5GHSA7.5OSV7.5

EPSS

1.8%

top 17.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Struts

Timeline

PublishedJul 4

Latest updateMay 13

Description

ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:HExploitability: 3.9 | Impact: 4.2

Affected Packages1 packages

▶NVDapache/struts20 versions+19

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

Improper Input Validation in Apache Struts↗2022-05-13

▶

GHSA

Improper Input Validation in Apache Struts↗2022-05-13

▶

CVEList

CVE-2016-1182: ActionServlet↗2016-07-04

▶

📋Vendor Advisories

Red Hat

struts: Improper input validation in Validator↗2016-06-07

▶

🕵️Threat Intelligence

Fortinet

The Analysis of Apache Struts 1 ActionServlet Validator Bypass (CVE-2016-1182)↗2017-10-25

▶

💬Community

Bugzilla

CVE-2016-1182 struts: Improper input validation in Validator↗2016-06-07

▶

Bugzilla

CVE-2016-1181 CVE-2016-1182 struts: various flaws [epel-7]↗2016-06-07

▶

Bugzilla

CVE-2016-1181 CVE-2016-1182 struts: various flaws [fedora-all]↗2016-06-07

▶