First Last Prev Next    This bug is not in your last search results.
Bug 983684 - (CVE-2016-1182) VUL-0: CVE-2016-1182: struts: Improper input validation in Validator
(CVE-2016-1182)
VUL-0: CVE-2016-1182: struts: Improper input validation in Validator
Status: RESOLVED WONTFIX
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Tomáš Chvátal
Security Team bot
https://smash.suse.de/issue/169844/
CVSSv2:SUSE:CVE-2016-1182:5.8:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-06-08 09:16 UTC by Marcus Meissner
Modified: 2016-07-01 14:27 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
struts-1.3.10-CVE-2016-1181-CVE-2016-1182.patch (1.84 KB, patch)
2016-07-01 13:12 UTC, Andreas Stieger 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2016-06-08 09:16:02 UTC 
via rh bugzilla

t was reported that The Apache Struts 1 Validator contains a vulnerability where input validation configurations (validation rules, error messages, etc.) may be modified. This occurs when ValidatorForm and ValidatorActionForm (including its subclasses) are in the session scope.

Affects Apache Struts 1 versions 1.0 through 1.3.10.

External References:

https://jvn.jp/en/jp/JVN65044642/

 JVN#65044642
Apache Struts 1 vulnerable to input validation bypass
Overview

The Apache Struts 1 Validator contains a vulnerability where input validation is bypassed.
Products Affected

    Apache Struts 1 versions 1.0 through 1.3.10

Description

The Apache Struts 1 Validator contains a vulnerability where input validation configurations (validation rules, error messages, etc.) may be modified.
This occurs when the following ActionForm (including its subclasses) are in the session scope.

    ValidatorForm
    ValidatorActionForm

Impact

Effects vary depending on the web application. For example, cross-site scripting attacks or denial-of-service (DoS) attacks may be possible.
Comment 3 Swamp Workflow Management 2016-06-08 22:02:08 UTC 
bugbot adjusting priority
Comment 6 Andreas Stieger 2016-07-01 13:12:09 UTC 
Created attachment 682822 [details]
struts-1.3.10-CVE-2016-1181-CVE-2016-1182.patch

fedora patch
Comment 7 Andreas Stieger 2016-07-01 13:29:21 UTC 
struts is only supported as part of the SUSE Manager product.
The only package using struts it there is spacewalk-java.
The shipped versions of spacewalk-java do not use the problematic code.
Package itself is affected, but not our usage of it. Not requesting an update.
First Last Prev Next    This bug is not in your last search results.