Web application abuses : Apache Struts Security Update (S2-028, S2-030, S2-034)

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 146377 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.808021

Categoría: Web application abuses

Título: Apache Struts Security Update (S2-028, S2-030, S2-034)

Resumen: Apache Struts is prone to multiple vulnerabilities.

Descripción: Summary:
Apache Struts is prone to multiple vulnerabilities.

Vulnerability Insight:
Multiple flaws exist:

- The Apache Struts frameworks when forced, performs double evaluation of attributes'
values assigned to certain tags so it is possible to pass in a value that will be
evaluated again when a tag's attributes will be rendered.

- The interceptor doesn't perform any validation of the user input and accept arbitrary
string which can be used by a developer to display language selected by the user.

- The application does not properly validate cache method references when used with OGNL
before 3.0.12.

Vulnerability Impact:
Successful exploitation will allow remote attackers to
inject arbitrary web script or HTML via multi-byte characters in a url-encoded parameter
or a denial of service (block access to a web site) via unspecified vectors.

Affected Software/OS:
Apache Struts 2.x through 2.3.24.1.

Solution:
Update to version 2.3.28 or later.

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:P

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2016-4003
BugTraq ID: 86311
http://www.securityfocus.com/bid/86311
http://www.securitytracker.com/id/1035268
Common Vulnerability Exposure (CVE) ID: CVE-2016-2162
BugTraq ID: 85070
http://www.securityfocus.com/bid/85070
http://www.securitytracker.com/id/1035272
Common Vulnerability Exposure (CVE) ID: CVE-2016-3093
1036018
http://www.securitytracker.com/id/1036018
90961
http://www.securityfocus.com/bid/90961
[struts-dev] 20190908 Build failed in Jenkins: Struts-master-JDK8-dependency-check #204
https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef%40%3Cdev.struts.apache.org%3E
http://struts.apache.org/docs/s2-034.html
http://www-01.ibm.com/support/docview.wss?uid=swg21987854

Copyright Copyright (C) 2016 Greenbone Networks GmbH

Esta es sólo una de 146377 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.808021
Categoría:	Web application abuses
Título:	Apache Struts Security Update (S2-028, S2-030, S2-034)
Resumen:	Apache Struts is prone to multiple vulnerabilities.
Descripción:	Summary: Apache Struts is prone to multiple vulnerabilities. Vulnerability Insight: Multiple flaws exist: - The Apache Struts frameworks when forced, performs double evaluation of attributes' values assigned to certain tags so it is possible to pass in a value that will be evaluated again when a tag's attributes will be rendered. - The interceptor doesn't perform any validation of the user input and accept arbitrary string which can be used by a developer to display language selected by the user. - The application does not properly validate cache method references when used with OGNL before 3.0.12. Vulnerability Impact: Successful exploitation will allow remote attackers to inject arbitrary web script or HTML via multi-byte characters in a url-encoded parameter or a denial of service (block access to a web site) via unspecified vectors. Affected Software/OS: Apache Struts 2.x through 2.3.24.1. Solution: Update to version 2.3.28 or later. CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2016-4003 BugTraq ID: 86311 http://www.securityfocus.com/bid/86311 http://www.securitytracker.com/id/1035268 Common Vulnerability Exposure (CVE) ID: CVE-2016-2162 BugTraq ID: 85070 http://www.securityfocus.com/bid/85070 http://www.securitytracker.com/id/1035272 Common Vulnerability Exposure (CVE) ID: CVE-2016-3093 1036018 http://www.securitytracker.com/id/1036018 90961 http://www.securityfocus.com/bid/90961 [struts-dev] 20190908 Build failed in Jenkins: Struts-master-JDK8-dependency-check #204 https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef%40%3Cdev.struts.apache.org%3E http://struts.apache.org/docs/s2-034.html http://www-01.ibm.com/support/docview.wss?uid=swg21987854
Copyright	Copyright (C) 2016 Greenbone Networks GmbH