Configuration in Apache Struts

#VU82186 Configuration in Apache Struts

Published: 2023-10-18

Vulnerability identifier: #VU82186

Vulnerability risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2013-4316

CWE-ID: CWE-16

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Apache Struts
Server applications / Frameworks for developing and running applications

Vendor: Apache Foundation

Description

The issue may allow a remote attacker to bypass implemented security restrictions.

The issue exists due to Apache Struts enables Dynamic Method Invocation by default. A remote attacker can trigger the vulnerability to bypass implemented security restrictions.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Apache Struts: 2.0.0 - 2.3.15.1

External links
http://archives.neohapsis.com/archives/bugtraq/2013-09/0107.html
http://struts.apache.org/release/2.3.x/docs/s2-019.html
http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html
http://www.securityfocus.com/bid/64758
http://www.securitytracker.com/id/1029078

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Sterling Order Management

Multiple vulnerabilities in IBM SAN Volume Controller and Storwize Family