CVE-2015-0899
HIGH7.5EPSS 69.5%Improper Input Validation in Apache Struts
Published: 5/14/2022Modified: 10/13/2025
Also known as:GHSA-cvvx-r33m-v7pq
Description
The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter.
Affected packages (4)
- Debian/libstruts1.2-javafrom 0, < 1.2.9-4+deb6u2
- Debian/libstruts1.2-javafrom 0, < 1.2.9-5+deb7u2
- Maven/org.apache.struts:struts-core>= 1.1, <= 1.3.10
- Maven/struts:struts>= 1.1, <= 1.2.9
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
References (8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2015-0899
- PATCHhttps://github.com/apache/struts
- WEBhttp://jvndb.jvn.jp/jvndb/JVNDB-2015-000042
- WEBhttp://jvn.jp/en/jp/JVN86448949/index.html
- WEBhttps://en.osdn.jp/projects/terasoluna/wiki/StrutsPatch2-EN
- WEBhttps://security.netapp.com/advisory/ntap-20180629-0006
- WEBhttp://www.debian.org/security/2016/dsa-3536
- WEBhttp://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html