Vulnerability Details : CVE-2016-4431
Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks by leveraging a default method.
Vulnerability category: Input validation
Products affected by CVE-2016-4431
- cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.24:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.24.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.20.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.28:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.24.3:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2016-4431
0.91%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 81 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-4431
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2016-4431
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-4431
-
http://www.securityfocus.com/bid/91284
Apache Struts CVE-2016-4431 Security Bypass Vulnerability
-
http://www-01.ibm.com/support/docview.wss?uid=swg21987854
IBM Security Bulletin: Multiple Vulnerabilities in Struts v2 affect IBM Opportunity DetectThird Party Advisory
-
http://jvndb.jvn.jp/jvndb/JVNDB-2016-000113
JVNDB-2016-000113 - JVN iPedia - 脆弱性対策情報データベースVDB Entry;Vendor Advisory
-
https://struts.apache.org/docs/s2-040.html
S2-040 - DEPRECATED: Apache Struts 2 Documentation - Apache Software FoundationVendor Advisory
-
http://jvn.jp/en/jp/JVN45093481/index.html
JVN#45093481: Multiple vulnerabilities in Apache Struts 2Vendor Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=1348252
1348252 – (CVE-2016-4431) CVE-2016-4431 struts: Possible manipulation of return result and bypassing validationIssue Tracking
-
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Oracle Critical Patch Update - July 2017
-
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1009282
IBM Security Bulletin: Multiple vulnerabilities in Apache Struts affect SAN Volume Controller, Storwize family and FlashSystem V9000 productsThird Party Advisory
Jump to