Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2011-5057

Overview

Vulnerability Score 5.0 5.0
CVE Id CVE-2011-5057
Last Modified 09 Jan 2012 05:36:17
Published 08 Jan 2012 12:55:00
Confidentiality Impact NONE NONE
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2011-5057

Summary

Apache Struts 2.3.1.1 and earlier provides interfaces that do not properly restrict access to collections such as the session and request collections, which might allow remote attackers to modify run-time data values via a crafted parameter to an application that implements an affected interface, as demonstrated by the SessionAware, RequestAware, ApplicationAware, ServletRequestAware, ServletResponseAware, and ParameterAware interfaces. NOTE: the vendor disputes the significance of this report because of an "easy work-around in existing apps by configuring the interceptor."

Vulnerable Systems

Application

  • Apache Struts 2.0.0

  • Apache Struts 2.0.1

  • Apache Struts 2.0.10

  • Apache Struts 2.0.11

  • Apache Struts 2.0.11.1

  • Apache Struts 2.0.11.2

  • Apache Struts 2.0.12

  • Apache Struts 2.0.13

  • Apache Struts 2.0.14

  • Apache Struts 2.0.2

  • Apache Struts 2.0.3

  • Apache Struts 2.0.4

  • Apache Struts 2.0.5

  • Apache Struts 2.0.6

  • Apache Struts 2.0.7

  • Apache Struts 2.0.8

  • Apache Struts 2.0.9

  • Apache Struts 2.1.0

  • Apache Struts 2.1.1

  • Apache Struts 2.1.2

  • Apache Struts 2.1.3

  • Apache Struts 2.1.4

  • Apache Struts 2.1.5

  • Apache Struts 2.1.6

  • Apache Struts 2.1.8

  • Apache Struts 2.1.8.1

  • Apache Struts 2.2.1

  • Apache Struts 2.2.1.1

  • Apache Struts 2.2.3


References

CONFIRM - https://issues.apache.org/jira/browse/WW-3631

CONFIRM - https://issues.apache.org/jira/browse/WW-2264

SECUNIA - 47109

MISC - http://codesecure.blogspot.com/2011/12/struts-2-session-tampering-via.html


Last Updated: 27 May 2016 10:58:01