CVE-2016-4430Cross-Site Request Forgery in Apache Struts

CWE-352Cross-Site Request Forgery6 documents6 sources
Severity
8.8HIGHNVD
EPSS
1.3%
top 20.61%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apache Struts
Timeline
PublishedJul 4
Latest updateMay 17

Description

Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages1 packages

NVDapache/struts8 versions+7

🔴Vulnerability Details

3
GHSA
Apache Struts CSRF Vulnerability2022-05-17
OSV
Apache Struts CSRF Vulnerability2022-05-17
CVEList
CVE-2016-4430: Apache Struts 2 22016-07-04

📋Vendor Advisories

1
Red Hat
struts: Bypassing token validation triggered by malicious expression2016-06-17

💬Community

1
Bugzilla
CVE-2016-4430 struts: Bypassing token validation triggered by malicious expression2016-06-20
CVE-2016-4430 — Cross-Site Request Forgery in Apache | cvebase