Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS1oNHY5LWpmMnItOWg2bc4AAWFk

Moderate EPSS: 0.12682% (0.93652 Percentile) EPSS:
Permalink JSON

Cross-Site Request Forgery in Apache Struts

Affected Packages Affected Versions Fixed Versions
maven:org.apache.struts:struts2-core < 2.3.20 2.3.20
194 Dependent packages
6,183 Dependent repositories

Affected Version Ranges

All affected versions

2.0.5, 2.0.6, 2.0.8, 2.0.9, 2.0.11, 2.0.12, 2.0.14, 2.1.2, 2.1.6, 2.1.8, 2.2.1, 2.2.3, 2.3.1, 2.3.3, 2.3.4, 2.3.7, 2.3.8, 2.3.12, 2.3.14, 2.3.15, 2.3.16

All unaffected versions

2.3.20, 2.3.24, 2.3.28, 2.3.29, 2.3.30, 2.3.31, 2.3.32, 2.3.33, 2.3.34, 2.3.35, 2.3.36, 2.3.37, 2.5.1, 2.5.2, 2.5.5, 2.5.8, 2.5.10, 2.5.12, 2.5.13, 2.5.14, 2.5.16, 2.5.17, 2.5.18, 2.5.20, 2.5.22, 2.5.25, 2.5.26, 2.5.27, 2.5.28, 2.5.29, 2.5.30, 2.5.31, 2.5.32, 2.5.33, 6.0.0, 6.0.3, 6.1.1, 6.1.2, 6.2.0, 6.3.0, 6.4.0, 6.6.0, 6.6.1, 6.7.0, 6.7.4, 7.0.0, 7.0.3

Apache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable <s:token/> values, which allows remote attackers to bypass the CSRF protection mechanism.

References:

Identifiers

GHSA-h4v9-jf2r-9h6m

CVE-2014-7809

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.12682

EPSS Percentile: 0.93652

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/apache/struts

Date and time

Published

about 3 years ago

Updated

over 1 year ago

API

JSON