First published: Mon Jul 04 2016(Updated: )
The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter.
Credit: vultures@jpcert.or.jp
Affected Software | Affected Version | How to fix |
---|---|---|
Apache Struts 2 | =1.0 | |
Apache Struts 2 | =1.0.2 | |
Apache Struts 2 | =1.1 | |
Apache Struts 2 | =1.1-b1 | |
Apache Struts 2 | =1.1-b2 | |
Apache Struts 2 | =1.1-b3 | |
Apache Struts 2 | =1.1-rc1 | |
Apache Struts 2 | =1.1-rc2 | |
Apache Struts 2 | =1.2.2 | |
Apache Struts 2 | =1.2.4 | |
Apache Struts 2 | =1.2.6 | |
Apache Struts 2 | =1.2.7 | |
Apache Struts 2 | =1.2.8 | |
Apache Struts 2 | =1.2.9 | |
Apache Struts 2 | =1.3.5 | |
Apache Struts 2 | =1.3.8 | |
Apache Struts 2 | =1.3.10 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2015-0899 has been classified as a high severity vulnerability due to its potential for remote exploitation and the ability to bypass access restrictions.
To fix CVE-2015-0899, update Apache Struts to a version later than 1.3.10 where the vulnerability is patched.
CVE-2015-0899 affects Apache Struts versions 1.1 through 1.3.10.
Yes, exploiting CVE-2015-0899 can allow remote attackers to gain unauthorized access to restricted areas of a web application.
The vulnerability in CVE-2015-0899 allows bypassing of intended access restrictions through a modified page parameter in the MultiPageValidator implementation.