Child pages
  • S2-049
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Summary

A DoS attack is available for Spring secured actions

Who should read this

All Struts 2 developers and users

Impact of vulnerability

A DoS attack is available for Spring secured actions

Maximum security rating

Medium

Recommendation

Upgrade to Struts 2.5.11

Affected Software

Struts 2.5 - Struts 2.5.10

Reporter

 Yasser Zamani <yasser dot zamani at live dot com>

CVE Identifier

 

Problem

When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack when user was properly authenticated

Solution

Upgrade to Apache Struts version 2.5.11.

Backward compatibility

No backward incompatibility issues are expected.

Workaround

Please define the below constant in a struts.xml file:

<constant name="struts.additional.excludedPatterns" value=".\.accessDecisionManager\.." />

 

 

  • No labels