Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2012-4386

Overview

Vulnerability Score 6.8 6.8
CVE Id CVE-2012-4386
Last Modified 06 Sep 2012 12:00:00
Published 05 Sep 2012 07:55:02
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2012-4386

Summary

The token check mechanism in Apache Struts 2.0.0 through 2.3.4 does not properly validate the token name configuration parameter, which allows remote attackers to perform cross-site request forgery (CSRF) attacks by setting the token name configuration parameter to a session attribute.

Vulnerable Systems

Application

  • Apache Struts 2.0.0

  • Apache Struts 2.0.1

  • Apache Struts 2.0.10

  • Apache Struts 2.0.11

  • Apache Struts 2.0.11.1

  • Apache Struts 2.0.11.2

  • Apache Struts 2.0.12

  • Apache Struts 2.0.13

  • Apache Struts 2.0.14

  • Apache Struts 2.0.2

  • Apache Struts 2.0.3

  • Apache Struts 2.0.4

  • Apache Struts 2.0.5

  • Apache Struts 2.0.6

  • Apache Struts 2.0.7

  • Apache Struts 2.0.8

  • Apache Struts 2.0.9

  • Apache Struts 2.1.0

  • Apache Struts 2.1.1

  • Apache Struts 2.1.2

  • Apache Struts 2.1.3

  • Apache Struts 2.1.4

  • Apache Struts 2.1.5

  • Apache Struts 2.1.6

  • Apache Struts 2.1.8

  • Apache Struts 2.1.8.1

  • Apache Struts 2.2.1

  • Apache Struts 2.2.1.1

  • Apache Struts 2.2.3

  • Apache Struts 2.2.3.1

  • Apache Struts 2.3.1

  • Apache Struts 2.3.1.1

  • Apache Struts 2.3.1.2

  • Apache Struts 2.3.3

  • Apache Struts 2.3.4


References

CONFIRM - https://issues.apache.org/jira/browse/WW-3858

XF - apache-struts-csrf(78182)

BID - 55346

MLIST - [oss-security] 20120901 Re: CVE request: Apache Struts S2-010 and S2-011

MLIST - [oss-security] 20120901 CVE request: Apache Struts S2-010 and S2-011

CONFIRM - http://struts.apache.org/2.x/docs/s2-010.html

SECUNIA - 50420


Last Updated: 27 May 2016 11:00:29