CVE-2015-1831

EPSS 4.5%

Incomplete exclude pattern in Apache Struts

Published: 5/17/2022Modified: 12/6/2024

Description

The default exclude patterns (excludeParams) in Apache Struts 2.3.20 allow remote attackers to "compromise internal state of an application" via unspecified vectors. In Struts 2.3.20.1 a better set of exlude patterns was defined.

Affected packages (2)

Maven/org.apache.struts:struts2-core>= 2.0.0, < 2.3.20.1
Maven/org.apache.struts.xwork:xwork-core>= 2.0.0, < 2.3.20.1

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2015-1831
PATCHhttps://github.com/apache/struts
WEBhttps://github.com/apache/struts/commit/d832747d647df343ed07a58b1b5e540a05a4d51b
WEBhttps://struts.apache.org/docs/s2-024.html