An access permission override in Apache Struts 2.0.0 to 2.5.20 may cause a Denial of Service when performing a file upload.
Max CVSS
7.5
EPSS Score
13.22%
Published
2020-09-14
Updated
2022-04-18
The Apache Struts REST Plugin is using XStream library which is vulnerable and allow perform a DoS attack when using a malicious request with specially crafted XML payload. Upgrade to the Apache Struts version 2.5.16 and switch to an optional Jackson XML handler as described here http://struts.apache.org/plugins/rest/#custom-contenttypehandlers. Another option is to implement a custom XML handler based on the Jackson XML handler from the Apache Struts 2.5.16.
Max CVSS
7.5
EPSS Score
1.48%
Published
2018-03-27
Updated
2020-12-08
In Apache Struts 2.5 to 2.5.14, the REST Plugin is using an outdated JSON-lib library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted JSON payload.
Max CVSS
6.2
EPSS Score
0.23%
Published
2017-12-01
Updated
2019-04-26
The REST Plugin in Apache Struts 2.1.x, 2.3.7 through 2.3.33 and 2.5 through 2.5.12 is using an outdated XStream library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted XML payload.
Max CVSS
7.5
EPSS Score
93.20%
Published
2017-09-20
Updated
2019-08-12
When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack. Solution is to upgrade to Apache Struts version 2.5.12 or 2.3.33.
Max CVSS
7.5
EPSS Score
3.47%
Published
2017-07-13
Updated
2019-10-03
The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field.
Max CVSS
5.3
EPSS Score
95.90%
Published
2016-07-04
Updated
2017-08-09
Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors.
Max CVSS
5.3
EPSS Score
2.73%
Published
2016-06-07
Updated
2023-02-12
ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899.
Max CVSS
8.2
EPSS Score
42.77%
Published
2016-07-04
Updated
2020-07-15
ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of service (unexpected memory access) via a multipart request, a related issue to CVE-2015-0899.
Max CVSS
8.1
EPSS Score
2.73%
Published
2016-07-04
Updated
2020-07-15
Apache Struts 2.0.0 through 2.3.4 allows remote attackers to cause a denial of service (CPU consumption) via a long parameter name, which is processed as an OGNL expression.
Max CVSS
5.0
EPSS Score
1.64%
Published
2012-09-05
Updated
2017-08-29
CVE-2006-1547
Known exploited
ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9 with BeanUtils 1.7 allows remote attackers to cause a denial of service via a multipart/form-data encoded form with a parameter name that references the public getMultipartRequestHandler method, which provides further access to elements in the CommonsMultipartRequestHandler implementation and BeanUtils.
Max CVSS
7.8
EPSS Score
1.42%
Published
2006-03-30
Updated
2017-07-20
CISA KEV Added
2022-01-21
11 vulnerabilities found