A DoS attack is available for Spring secured actions |
Who should read this | All Struts 2 developers and users |
---|---|
Impact of vulnerability | A DoS attack is available for Spring secured actions |
Maximum security rating | Medium |
Recommendation | Upgrade to Struts 2.5.11 |
Affected Software | Struts 2.5 - Struts 2.5.10 |
Reporter | Yasser Zamani <yasser dot zamani at live dot com> |
CVE Identifier |
|
When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack when user was properly authenticated
Solution
Upgrade to Apache Struts version 2.5.11.
No backward incompatibility issues are expected.
Please define the below constant in a struts.xml
file:
<constant name="struts.additional.excludedPatterns" value=".\.accessDecisionManager\.." /> |