GHSA-q5q8-jghf-3pm3

Suggest an improvement
Source
https://github.com/advisories/GHSA-q5q8-jghf-3pm3
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-q5q8-jghf-3pm3/GHSA-q5q8-jghf-3pm3.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-q5q8-jghf-3pm3
Aliases
  • CVE-2013-4310
Published
2022-05-17T04:44:52Z
Modified
2024-12-07T05:38:33.380493Z
Summary
Apache Struts2 Broken Access Control Vulnerability
Details

The Struts 2 action mapping mechanism supports the special parameter prefix action: which is intended to help with attaching navigational information to buttons within forms, under certain conditions this can be used to bypass security constraints.

In Struts 2.3.15.3 the action mapping mechanism was changed to avoid circumventing security constraints. Two additional constants were introduced to steer behaviour of DefaultActionMapper:

  • struts.mapper.action.prefix.enabled - when set to false support for "action:" prefix is disabled, set to false by default
  • struts.mapper.action.prefix.crossNamespaces - when set to false, actions defined with "action:" prefix must be in the same namespace as current action
Database specific
{
    "nvd_published_at": "2013-09-30T21:55:00Z",
    "cwe_ids": [
        "CWE-284"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-03T23:00:35Z"
}
References

Affected packages

Maven / org.apache.struts:struts2-core

Package

Name
org.apache.struts:struts2-core
View open source insights on deps.dev
Purl
pkg:maven/org.apache.struts/struts2-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.3.15.3

Affected versions

2.*

2.0.5
2.0.6
2.0.8
2.0.9
2.0.11
2.0.11.1
2.0.11.2
2.0.12
2.0.14
2.1.2
2.1.6
2.1.8
2.1.8.1
2.2.1
2.2.1.1
2.2.3
2.2.3.1
2.3.1
2.3.1.1
2.3.1.2
2.3.3
2.3.4
2.3.4.1
2.3.7
2.3.8
2.3.12
2.3.14
2.3.14.1
2.3.14.2
2.3.14.3
2.3.15
2.3.15.1
2.3.15.2