Vulnerability Details : CVE-2016-1182
ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899.
Vulnerability category: Cross site scripting (XSS)Input validationDenial of service
Products affected by CVE-2016-1182
- cpe:2.3:a:apache:struts:1.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:1.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:1.2.8:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:1.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:1.3.10:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:1.3.8:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:1.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:1.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:1.1:rc2:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:1.1:b2:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:1.1:b1:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:1.2.9:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:1.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:1.1:b3:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:1.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:1.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:1.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:1.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:1.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:1.3.9:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:1.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:1.3.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:1.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:1.2.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2016-1182
3.69%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 87 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-1182
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
6.4
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:P |
10.0
|
4.9
|
NIST | |
|
8.2
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H |
3.9
|
4.2
|
NIST |
CWE ids for CVE-2016-1182
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-1182
-
https://www.oracle.com/security-alerts/cpujan2020.html
Oracle Critical Patch Update Advisory - January 2020
-
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
CPU Oct 2018Patch
-
http://jvn.jp/en/jp/JVN65044642/index.html
JVN#65044642: Apache Struts 1 vulnerable to input validation bypassVendor Advisory
-
https://www.oracle.com/security-alerts/cpujul2020.html
Oracle Critical Patch Update Advisory - July 2020
-
http://www.securityfocus.com/bid/91787
Oracle July 2016 Critical Patch Update Multiple VulnerabilitiesThird Party Advisory;VDB Entry
-
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
Oracle Critical Patch Update - January 2018Patch
-
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
Oracle Critical Patch Update - July 2019
-
https://bugzilla.redhat.com/show_bug.cgi?id=1343540
1343540 – (CVE-2016-1182) CVE-2016-1182 struts: Improper input validation in ValidatorIssue Tracking
-
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
Oracle Critical Patch Update - October 2017Patch
-
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
Oracle Critical Patch Update - July 2016Patch;Third Party Advisory
-
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
Oracle Critical Patch Update - April 2019
-
https://security.netapp.com/advisory/ntap-20180629-0006/
April 2018 Apache Struts Vulnerabilities in NetApp Products | NetApp Product SecurityThird Party Advisory
-
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
Oracle Critical Patch Update - October 2016Patch;Third Party Advisory
-
http://www.securitytracker.com/id/1036056
Apache Struts ActionForm and Validator Bugs Let Remote Users Deny Service, Obtain Potentially Sensitive Information, and Execute Arbitrary Code - SecurityTrackerThird Party Advisory;VDB Entry
-
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
Oracle Critical Patch Update - January 2019Patch
-
http://jvndb.jvn.jp/jvndb/JVNDB-2016-000097
JVNDB-2016-000097 - JVN iPedia - 脆弱性対策情報データベースThird Party Advisory;VDB Entry;Vendor Advisory
-
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
CPU July 2018Patch
-
https://security-tracker.debian.org/tracker/CVE-2016-1182
CVE-2016-1182Third Party Advisory
-
https://github.com/kawasima/struts1-forever/commit/eda3a79907ed8fcb0387a0496d0cb14332f250e8
Fixed CVE-2016-1181 and CVE-2016-1182 · kawasima/struts1-forever@eda3a79 · GitHubIssue Tracking;Patch
-
http://www.securityfocus.com/bid/91067
Apache Struts CVE-2016-1182 Security Bypass VulnerabilityThird Party Advisory;VDB Entry
Jump to