First published: Sun Jan 08 2012(Updated: )
Apache Struts 2.3.1.2 and earlier, 2.3.19-2.3.23, provides interfaces that do not properly restrict access to collections such as the session and request collections, which might allow remote attackers to modify run-time data values via a crafted parameter to an application that implements an affected interface, as demonstrated by the SessionAware, RequestAware, ApplicationAware, ServletRequestAware, ServletResponseAware, and ParameterAware interfaces. NOTE: the vendor disputes the significance of this report because of an "easy work-around in existing apps by configuring the interceptor."
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Apache Struts 2 | >=2.0.0<2.3.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2011-5057 has been rated as a critical vulnerability due to its potential to allow unauthorized access to sensitive session data.
To fix CVE-2011-5057, upgrade to Apache Struts version 2.3.24 or later where the vulnerability has been addressed.
Exploiting CVE-2011-5057 can lead to unauthorized modification of run-time data, potentially affecting application behavior and security.
CVE-2011-5057 affects Apache Struts versions 2.0.0 to 2.3.23, including all versions between these two.
A temporary workaround for CVE-2011-5057 is to implement strict parameter validation to control data access in the affected applications.