SummaryA DoS attack is available for Spring secured actions
Who should read this
All Struts 2 developers and users
Impact of vulnerability
A DoS attack is available for Spring secured actions
Maximum security rating
Upgrade to Struts 2.5.12 or Struts 2.3.33
Struts 2.3.7 - Struts 2.3.32, Struts 2.5 - Struts 188.8.131.52
Yasser Zamani <yasser dot zamani at live dot com>
When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack even if user was not properly authenticated but an application mixed secured and not secured actions in one class.
Upgrade to Apache Struts version 2.5.12 or 2.3.33.
No backward incompatibility issues are expected.
Please define the below constant in a
<constant name="struts.additional.excludedPatterns" value=".\.accessDecisionManager\.." />