This Confluence has been LDAP enabled, if you are an ASF Committer, please use your LDAP Credentials to login. Any problems file an INFRA jira ticket please.

Child pages
  • S2-049
Skip to end of metadata
Go to start of metadata


A DoS attack is available for Spring secured actions

Who should read this

All Struts 2 developers and users

Impact of vulnerability

A DoS attack is available for Spring secured actions

Maximum security rating



Upgrade to Struts 2.5.12 or Struts 2.3.33

Affected Software

Struts 2.3.7 - Struts 2.3.32, Struts 2.5 - Struts


Yasser Zamani <yasser dot zamani at live dot com>

CVE Identifier



When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack even if user was not properly authenticated but an application mixed secured and not secured actions in one class.


Upgrade to Apache Struts version 2.5.12 or 2.3.33.

Backward compatibility

No backward incompatibility issues are expected.


Please define the below constant in a struts.xml file:

<constant name="struts.additional.excludedPatterns" value=".\.accessDecisionManager\.." />



  • No labels