Versions Compared

Old Version 4

changes.mady.by.user Lukasz Lenart

Saved on

compared with

New Version 5

changes.mady.by.user René Gielen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Summary

Excerpt

In Struts 2 before 2.3.15.2, under certain conditions this can be used to bypass security constraints.Broken Access Control Vulnerability in Apache Struts2

Who should read this

All Struts 2 developers and users

Impact of vulnerability

Permissions, Privileges, and Access Controls

Maximum security rating

Important

Recommendation

Developers should immediately upgrade to Struts 2.3.15.2

Affected Software

Struts 2.0.0 - Struts 2.3.15.1

Reporter

Zhangyan (L), Huawei PSIRT

CVE Identifier

CVE-2013-4310

Problem

The Struts 2 action mapping mechanism supports the special parameter prefix action: which is intended to help with attaching
navigational information to buttons within forms.

In Struts 2 before 2.3.15.2, under certain conditions this can be used to bypass security constraints. More details will available later on when the patch will be widely adopted.

...