CVE-2011-5057
Apache Struts 2.0.9/2.1.8 - Session Tampering Security Bypass
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
Apache Struts 2.3.1.2 and earlier, 2.3.19-2.3.23, provides interfaces that do not properly restrict access to collections such as the session and request collections, which might allow remote attackers to modify run-time data values via a crafted parameter to an application that implements an affected interface, as demonstrated by the SessionAware, RequestAware, ApplicationAware, ServletRequestAware, ServletResponseAware, and ParameterAware interfaces. NOTE: the vendor disputes the significance of this report because of an "easy work-around in existing apps by configuring the interceptor."
Apache Struts versión 2.3.1.2 y anteriores, versiones 2.3.19 hasta 2.3.23, proporciona interfaces que no restringen apropiadamente el acceso a colecciones tales como las colecciones de sesiones y peticiones, lo que podría permitir a atacantes remotos modificar los valores de datos de tiempo de ejecución por medio de un parámetro diseñado para una aplicación que implementa una interfaz afectada, como es demostrado por las interfaces de SessionAware, RequestAware, ApplicationAware, ServletRequestAware, ServletResponseAware y ParameterAware. NOTA: el proveedor cuestiona la importancia de este reporte debido a una "easy work-around in existing apps by configuring the interceptor".
CVSS Scores
SSVC
- Decision:-
Timeline
- 2011-12-07 First Exploit
- 2012-01-08 CVE Reserved
- 2012-01-08 CVE Published
- 2024-08-07 CVE Updated
- 2024-10-17 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-264: Permissions, Privileges, and Access Controls
CAPEC
References (4)
URL | Tag | Source |
---|---|---|
http://codesecure.blogspot.com/2011/12/struts-2-session-tampering-via.html | Third Party Advisory |
URL | Date | SRC |
---|---|---|
https://www.exploit-db.com/exploits/36426 | 2011-12-07 |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://issues.apache.org/jira/browse/WW-2264 | 2019-08-12 | |
https://issues.apache.org/jira/browse/WW-3631 | 2019-08-12 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | >= 2.0.0 < 2.3.3 Search vendor "Apache" for product "Struts" and version " >= 2.0.0 < 2.3.3" | - |
Affected
|