Vulnerability Details : CVE-2016-4465
The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field.
Vulnerability category: Input validationDenial of service
Products affected by CVE-2016-4465
- cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.24:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.24.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.20.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.28:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.24.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.5:beta1:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.5:beta2:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.5:beta3:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.28.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.5:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2016-4465
77.37%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 98 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-4465
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
5.3
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
3.9
|
1.4
|
NIST |
CWE ids for CVE-2016-4465
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-4465
-
http://www-01.ibm.com/support/docview.wss?uid=swg21987854
IBM Security Bulletin: Multiple Vulnerabilities in Struts v2 affect IBM Opportunity DetectThird Party Advisory
-
http://jvndb.jvn.jp/jvndb/JVNDB-2016-000114
JVNDB-2016-000114 - JVN iPedia - 脆弱性対策情報データベースVDB Entry;Vendor Advisory
-
http://jvn.jp/en/jp/JVN12352818/index.html
JVN#12352818: Apache Struts 2 vulnerable to denial-of-service (DoS)Vendor Advisory
-
http://www.securityfocus.com/bid/91278
Apache Struts CVE-2016-4465 Denial of Service Vulnerability
-
https://struts.apache.org/docs/s2-041.html
S2-041 - DEPRECATED: Apache Struts 2 Documentation - Apache Software FoundationVendor Advisory
-
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Oracle Critical Patch Update - July 2017
-
https://bugzilla.redhat.com/show_bug.cgi?id=1348253
1348253 – (CVE-2016-4465) CVE-2016-4465 struts: Possible DoS attack when using URLValidatorIssue Tracking
Jump to