Bug 924887 - (CVE-2015-0899) VUL-0: CVE-2015-0899: struts: Apache Struts 1: input validation bypass in MultiPageValidator
VUL-0: CVE-2015-0899: struts: Apache Struts 1: input validation bypass in Mul...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:sle10-sp3:61446 maint:...
Depends on:
  Show dependency treegraph
Reported: 2015-03-30 10:00 UTC by Marcus Meissner
Modified: 2016-03-13 17:32 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Patch taken from the above page and rebased (16.82 KB, patch)
2015-04-01 10:09 UTC, Tomáš Chvátal
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2015-03-30 10:00:29 UTC
via rh bugzilla


The following flaw was found in Apache Struts 1:

The Validator in Apache Struts 1.1 and later contains a function to efficiently define rules for input validation across multiple pages during screen transitions. This function contains a vulnerability where input validation may be bypassed. When the Apache Struts 1 Validator is used, the web application may be vulnerable even when this function is not used explicitly.

Upstream advisory:


Upstream patches:

Comment 1 Swamp Workflow Management 2015-03-30 11:20:54 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-04-13.
When done, reassign the bug to security-team@suse.de.
Comment 2 Marcus Meissner 2015-03-30 11:21:37 UTC
currently no bugowner set.

bnc-team-java previously.
Comment 3 Swamp Workflow Management 2015-03-30 22:00:51 UTC
bugbot adjusting priority
Comment 4 Tomáš Chvátal 2015-04-01 10:09:08 UTC
Created attachment 629559 [details]
Patch taken from the above page and rebased
Comment 5 Tomáš Chvátal 2015-04-01 10:10:07 UTC
Submission sent to SLE11.
Comment 10 Swamp Workflow Management 2015-05-15 20:05:00 UTC
SUSE-SU-2015:0886-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 924887
CVE References: CVE-2015-0899
Sources used:
SUSE Manager Server (src):    struts-1.2.9-162.37.1
SUSE Manager 1.7 for SLE 11 SP2 (src):    struts-1.2.9-162.37.1
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    struts-1.2.9-162.37.1
Comment 11 Sebastian Krahmer 2015-05-18 09:16:34 UTC