fkie_cve-2016-1182
Vulnerability from fkie_nvd
Published
2016-07-04 22:59
Modified
2025-04-12 10:46
Severity ?
Summary
ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | struts | 1.0 | |
| apache | struts | 1.0 | |
| apache | struts | 1.0 | |
| apache | struts | 1.0 | |
| apache | struts | 1.0.1 | |
| apache | struts | 1.0.2 | |
| apache | struts | 1.1 | |
| apache | struts | 1.1 | |
| apache | struts | 1.1 | |
| apache | struts | 1.1 | |
| apache | struts | 1.1 | |
| apache | struts | 1.1 | |
| apache | struts | 1.2.0 | |
| apache | struts | 1.2.1 | |
| apache | struts | 1.2.2 | |
| apache | struts | 1.2.3 | |
| apache | struts | 1.2.4 | |
| apache | struts | 1.2.5 | |
| apache | struts | 1.2.6 | |
| apache | struts | 1.2.7 | |
| apache | struts | 1.2.8 | |
| apache | struts | 1.2.9 | |
| apache | struts | 1.3.5 | |
| apache | struts | 1.3.6 | |
| apache | struts | 1.3.7 | |
| apache | struts | 1.3.8 | |
| apache | struts | 1.3.9 | |
| apache | struts | 1.3.10 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:struts:1.0:*:*:*:*:*:*:*", matchCriteriaId: "A5051228-446E-461D-9B5F-8F765C7BA57F", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:struts:1.0:beta1:*:*:*:*:*:*", matchCriteriaId: "32FFABC1-74F8-414A-BCC7-7CDC7EB078F1", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:struts:1.0:beta2:*:*:*:*:*:*", matchCriteriaId: "1239ED60-1581-4FFB-A5FB-4FB898C1EBDA", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:struts:1.0:beta3:*:*:*:*:*:*", matchCriteriaId: "08266BA4-A365-4187-AC98-230E040B3B8C", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:struts:1.0.1:*:*:*:*:*:*:*", matchCriteriaId: "709E6CEB-461C-4C6C-A3E9-CC37E3AE9E58", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:struts:1.0.2:*:*:*:*:*:*:*", matchCriteriaId: "EE1B8A83-43A4-4C4F-BB95-4D9CAD882D1C", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:struts:1.1:*:*:*:*:*:*:*", matchCriteriaId: "A55DDFE1-A8AB-47BB-903E-957FCF3D023D", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:struts:1.1:b1:*:*:*:*:*:*", matchCriteriaId: "93FA9AE3-B453-4FE6-82A9-7DDEF3F6C464", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:struts:1.1:b2:*:*:*:*:*:*", matchCriteriaId: "A3BB6FBE-469B-4920-A30B-33AD9E41ACCD", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:struts:1.1:b3:*:*:*:*:*:*", matchCriteriaId: "34FC82D3-CCAF-4F37-B531-2A9CA17311A9", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:struts:1.1:rc1:*:*:*:*:*:*", matchCriteriaId: "E0B8B413-8C62-44B6-A382-26F35F4573D4", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:struts:1.1:rc2:*:*:*:*:*:*", matchCriteriaId: "6309C679-890A-4214-8857-9F119CBBAA00", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:struts:1.2.0:*:*:*:*:*:*:*", matchCriteriaId: "241A8B39-643B-4371-B629-1636F24DDC97", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:struts:1.2.1:*:*:*:*:*:*:*", matchCriteriaId: "4EE7EF4C-CD6F-4B74-89E3-321706B733FE", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:struts:1.2.2:*:*:*:*:*:*:*", matchCriteriaId: "CD882860-03D0-49E9-8CED-DE6663392548", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:struts:1.2.3:*:*:*:*:*:*:*", matchCriteriaId: "95087298-38D2-4ED6-9D99-494AE90F6DE2", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:struts:1.2.4:*:*:*:*:*:*:*", matchCriteriaId: "EDDD509E-9EBF-483F-9546-A1A3A1A3380E", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:struts:1.2.5:*:*:*:*:*:*:*", matchCriteriaId: "15BD4B0B-31A2-4DA3-814A-5C959D1BC64A", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:struts:1.2.6:*:*:*:*:*:*:*", matchCriteriaId: "B2ECF5E1-457F-4E76-81F7-65114DC4E1E4", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:struts:1.2.7:*:*:*:*:*:*:*", matchCriteriaId: "2FC81E1A-2779-4FAF-866C-970752CD1828", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:struts:1.2.8:*:*:*:*:*:*:*", matchCriteriaId: "CBD69FAE-C1A3-4213-824A-7DCCE357EB01", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:struts:1.2.9:*:*:*:*:*:*:*", matchCriteriaId: "9C34FDB0-2778-4C36-8345-F7E27509A383", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:struts:1.3.5:*:*:*:*:*:*:*", matchCriteriaId: "CF0302D3-CB8D-4FA7-8F07-C2C7593877BE", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:struts:1.3.6:*:*:*:*:*:*:*", matchCriteriaId: "8FC3685E-CC47-479D-A418-065ADB38EDD5", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:struts:1.3.7:*:*:*:*:*:*:*", matchCriteriaId: "805A4E32-2447-49BB-8631-E41DAA221E10", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:struts:1.3.8:*:*:*:*:*:*:*", matchCriteriaId: "03906D34-F3B3-4C56-A6A6-2F7A10168501", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:struts:1.3.9:*:*:*:*:*:*:*", matchCriteriaId: "91CBFC67-BDD8-4579-843A-F93A2661B032", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:struts:1.3.10:*:*:*:*:*:*:*", matchCriteriaId: "1B3872B7-2972-433D-96A1-154FA545B311", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899.", }, { lang: "es", value: "ActionServlet.java en Apache Struts 1 1.x hasta la versión 1.3.10 no restringe adecuadamente la configuración Validator, lo que permite a atacantes remotos llevar a cabo ataques de secuencias de comandos en sitios cruzados (XSS) o provocar una denegación de servicio a través de una entrada manipulada, un problema relacionado con CVE-2015-0899.", }, ], id: "CVE-2016-1182", lastModified: "2025-04-12T10:46:40.837", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.4, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:L/Au:N/C:N/I:P/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 4.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.2, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", version: "3.0", }, exploitabilityScore: 3.9, impactScore: 4.2, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2016-07-04T22:59:02.880", references: [ { source: "vultures@jpcert.or.jp", tags: [ "Vendor Advisory", ], url: "http://jvn.jp/en/jp/JVN65044642/index.html", }, { source: "vultures@jpcert.or.jp", tags: [ "Third Party Advisory", "VDB Entry", "Vendor Advisory", ], url: "http://jvndb.jvn.jp/jvndb/JVNDB-2016-000097", }, { source: "vultures@jpcert.or.jp", tags: [ "Patch", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { source: "vultures@jpcert.or.jp", tags: [ "Patch", "Third Party Advisory", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html", }, { source: "vultures@jpcert.or.jp", tags: [ "Patch", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { source: "vultures@jpcert.or.jp", tags: [ "Patch", "Third Party Advisory", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", }, { source: "vultures@jpcert.or.jp", tags: [ "Patch", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", }, { source: "vultures@jpcert.or.jp", tags: [ "Patch", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", }, { source: "vultures@jpcert.or.jp", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/91067", }, { source: "vultures@jpcert.or.jp", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/91787", }, { source: "vultures@jpcert.or.jp", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securitytracker.com/id/1036056", }, { source: "vultures@jpcert.or.jp", tags: [ "Issue Tracking", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1343540", }, { source: "vultures@jpcert.or.jp", tags: [ "Issue Tracking", "Patch", ], url: "https://github.com/kawasima/struts1-forever/commit/eda3a79907ed8fcb0387a0496d0cb14332f250e8", }, { source: "vultures@jpcert.or.jp", tags: [ "Third Party Advisory", ], url: "https://security-tracker.debian.org/tracker/CVE-2016-1182", }, { source: "vultures@jpcert.or.jp", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20180629-0006/", }, { source: "vultures@jpcert.or.jp", url: "https://www.oracle.com/security-alerts/cpujan2020.html", }, { source: "vultures@jpcert.or.jp", url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { source: "vultures@jpcert.or.jp", url: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", }, { source: "vultures@jpcert.or.jp", tags: [ "Patch", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { source: "vultures@jpcert.or.jp", url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "http://jvn.jp/en/jp/JVN65044642/index.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", "Vendor Advisory", ], url: "http://jvndb.jvn.jp/jvndb/JVNDB-2016-000097", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/91067", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securityfocus.com/bid/91787", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securitytracker.com/id/1036056", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1343540", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Patch", ], url: "https://github.com/kawasima/struts1-forever/commit/eda3a79907ed8fcb0387a0496d0cb14332f250e8", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security-tracker.debian.org/tracker/CVE-2016-1182", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20180629-0006/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://www.oracle.com/security-alerts/cpujan2020.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, ], sourceIdentifier: "vultures@jpcert.or.jp", vulnStatus: "Deferred", weaknesses: [ { description: [ { lang: "en", value: "CWE-20", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.