You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Summary

Possible DoS attack when using URLValidator

Who should read this

All Struts 2 developers and users

Impact of vulnerability

Possible DoS attack when using URLValidator

Maximum security rating

Low

Recommendation

Upgrade to Struts 2.5.6

Affected Software

Struts 2.3.20 - Struts Struts 2.3.28.1 and Struts 2.5

Reporter

ASAI Ken tc535mr2 at gmail dot com

CVE Identifier

CVE-2016-4465

Problem

If an application allows enter na URL field in a form and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.

Solution

Upgrade to Apache Struts version 2.5.6.

Backward compatibility

No backward incompatibility issues are expected.

Workaround

Trim passed value before assigning it to a field, e.g.

public String setUserUrl(String userUrl) {
    this.userUrl = userUrl.trim();
}
  • No labels