Apache Struts access Restriction Bypass Vulnerability (CVE-2016-4433)
Apache Struts access Restriction Bypass Vulnerability (CVE-2016-4433)
Release date:
Updated on:
Affected Systems:
Apache Group Struts2 2.3.20-2.3.28.1
Description:
CVE (CAN) ID: CVE-2016-4433
Struts2 is an extensible framework for building enterprise-level Jave Web applications.
Apache Struts 2 2.3.20-2.3.28.1 has a security vulnerability. Remote attackers can bypass access restrictions and perform redirection attacks by constructing requests.
<* Source: Takeshi Terada websec02 dot g02 at gmail.com
Link: https://struts.apache.org/docs/s2-039.html
*>
Suggestion:
Vendor patch:
Apache Group
------------
Apache Group has released a Security Bulletin (S2-039) and patches for this:
S2-039: Getter as action method leads to security bypass
Link: https://struts.apache.org/docs/s2-039.html
Patch download: https://struts.apache.org/docs/version-notes-2329.html
Reference link: https://bugzilla.redhat.com/show_bug.cgi? Id = 1348251
This article permanently updates the link address: