Apache Struts access Restriction Bypass Vulnerability (CVE-2016-4431)
Apache Struts access Restriction Bypass Vulnerability (CVE-2016-4431)
Release date:
Updated on:
Affected Systems:
Apache Group Struts2 2.3.20-2.3.28.1
Description:
CVE (CAN) ID: CVE-2016-4431
Struts2 is an extensible framework for building enterprise-level Jave Web applications.
Apache Struts 2 2.3.20-2.3.28.1 has a security vulnerability. By default, remote attackers can bypass access restrictions and perform redirection attacks.
<* Source: Takeshi Terada websec02 dot g02 at gmail.com
Link: https://struts.apache.org/docs/s2-040.html
*>
Suggestion:
Vendor patch:
Apache Group
------------
Apache Group has released a Security Bulletin (S2-040) and patches for this:
S2-040: Input validation bypass using existing default action method.
Link: https://struts.apache.org/docs/s2-040.html
Patch download: https://struts.apache.org/docs/version-notes-2329.html
This article permanently updates the link address: