CVE-2016-8738

CWE-20 — Improper Input Validation4 documents4 sources

Severity

5.9MEDIUM

EPSS

1.1%

top 21.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Struts Apache Struts

Timeline

PublishedSep 20

Latest updateMay 14

Description

In Apache Struts 2.5 through 2.5.5, if an application allows entering a URL in a form field and the built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.2 | Impact: 3.6

Affected Packages3 packages

▶Mavenorg.apache.struts:struts2-core2.5.0 — 2.5.13

▶NVDapache/struts6 versions+5

▶CVEListV5apache_software_foundation/apache_struts2.5 - 2.5.5

Patches

Patch: struts.apache.org ↗Patch: struts.apache.org ↗

🔴Vulnerability Details

OSV

Apache Struts vulnerable to possible DoS attack when using URLValidator↗2022-05-14

▶

GHSA

Apache Struts vulnerable to possible DoS attack when using URLValidator↗2022-05-14

▶

CVEList

CVE-2016-8738: In Apache Struts 2↗2017-09-20

▶