First published: Thu Mar 30 2006(Updated: )
ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9 with BeanUtils 1.7 allows remote attackers to cause a denial of service via a multipart/form-data encoded form with a parameter name that references the public getMultipartRequestHandler method, which provides further access to elements in the CommonsMultipartRequestHandler implementation and BeanUtils.
Credit: secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
maven/struts:struts | <1.2.9 | 1.2.9 |
Apache Struts 2 | <=1.2.8 | |
Apache Struts 2 | =1.2.7 | |
Apache Struts | ||
All of | ||
Apache Struts 2 | <1.2.9 | |
Apache Commons BeanUtils | =1.7.0 | |
All of | ||
<1.2.9 | ||
=1.7.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2006-1547 has a severity rating of moderate, primarily related to denial of service vulnerabilities.
To fix CVE-2006-1547, upgrade Apache Struts to version 1.2.9 or later.
CVE-2006-1547 affects Apache Struts versions prior to 1.2.9, including 1.2.7 and 1.2.8.
A recommended workaround for CVE-2006-1547 is to validate and sanitize parameter names in multipart/form-data submissions.
CVE-2006-1547 facilitates denial of service attacks through manipulation of multipart/form-data encoded forms.