Possible DoS attack when using |
Who should read this | All Struts 2 developers and users |
|---|---|
Impact of vulnerability | Possible DoS attack when using URLValidator |
Maximum security rating | Low |
Recommendation | Upgrade to Struts 2.5.13 |
Affected Software | Struts 2.5 - Struts 2.5.12 |
Reporter | Jonathan Bullock <jonbullock at gmail dot com> |
CVE Identifier | CVE-2016-8738 |
If an application allows enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.
Upgrade to Apache Struts version 2.5.13.
No backward incompatibility issues are expected.
Trim passed value before assigning it to a field, e.g.
public String setUserUrl(String userUrl) {
this.userUrl = userUrl.trim();
} |