Vulnerability Description
Apache Struts 2.3.1.2 and earlier, 2.3.19-2.3.23, provides interfaces that do not properly restrict access to collections such as the session and request collections, which might allow remote attackers to modify run-time data values via a crafted parameter to an application that implements an affected interface, as demonstrated by the SessionAware, RequestAware, ApplicationAware, ServletRequestAware, ServletResponseAware, and ParameterAware interfaces. NOTE: the vendor disputes the significance of this report because of an "easy work-around in existing apps by configuring the interceptor."
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Struts | >= 2.0.0, < 2.3.3 |
Related Weaknesses (CWE)
References
- http://codesecure.blogspot.com/2011/12/struts-2-session-tampering-via.htmlThird Party Advisory
- http://secunia.com/advisories/47109Permissions Required
- https://issues.apache.org/jira/browse/WW-2264Issue TrackingVendor Advisory
- https://issues.apache.org/jira/browse/WW-3631Issue TrackingVendor Advisory
- http://codesecure.blogspot.com/2011/12/struts-2-session-tampering-via.htmlThird Party Advisory
- http://secunia.com/advisories/47109Permissions Required
- https://issues.apache.org/jira/browse/WW-2264Issue TrackingVendor Advisory
- https://issues.apache.org/jira/browse/WW-3631Issue TrackingVendor Advisory
FAQ
What is CVE-2011-5057?
CVE-2011-5057 is a vulnerability with a CVSS score of 5.0 (MEDIUM). Apache Struts 2.3.1.2 and earlier, 2.3.19-2.3.23, provides interfaces that do not properly restrict access to collections such as the session and request collections, which might allow remote attacker...
How severe is CVE-2011-5057?
CVE-2011-5057 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2011-5057?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Struts.