Bugzilla – Bug 924887
VUL-0: CVE-2015-0899: struts: Apache Struts 1: input validation bypass in MultiPageValidator
Last modified: 2016-03-13 17:32:17 UTC
via rh bugzilla
The following flaw was found in Apache Struts 1:
The Validator in Apache Struts 1.1 and later contains a function to efficiently define rules for input validation across multiple pages during screen transitions. This function contains a vulnerability where input validation may be bypassed. When the Apache Struts 1 Validator is used, the web application may be vulnerable even when this function is not used explicitly.
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-04-13.
When done, reassign the bug to email@example.com.
currently no bugowner set.
bugbot adjusting priority
Created attachment 629559 [details]
Patch taken from the above page and rebased
Submission sent to SLE11.
SUSE-SU-2015:0886-1: An update that fixes one vulnerability is now available.
Category: security (moderate)
Bug References: 924887
CVE References: CVE-2015-0899
SUSE Manager Server (src): struts-1.2.9-162.37.1
SUSE Manager 1.7 for SLE 11 SP2 (src): struts-1.2.9-162.37.1
SUSE Linux Enterprise Software Development Kit 11 SP3 (src): struts-1.2.9-162.37.1