CVE-2011-5057
Severity CVSS v4.0:
Pending analysis
Type:
CWE-264
Permissions, Privileges, and Access Control
Publication date:
08/01/2012
Last modified:
11/04/2025
Description
Apache Struts 2.3.1.2 and earlier, 2.3.19-2.3.23, provides interfaces that do not properly restrict access to collections such as the session and request collections, which might allow remote attackers to modify run-time data values via a crafted parameter to an application that implements an affected interface, as demonstrated by the SessionAware, RequestAware, ApplicationAware, ServletRequestAware, ServletResponseAware, and ParameterAware interfaces. NOTE: the vendor disputes the significance of this report because of an "easy work-around in existing apps by configuring the interceptor."
Impact
Base Score 2.0
5.00
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:* | 2.0.0 (including) | 2.3.3 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://codesecure.blogspot.com/2011/12/struts-2-session-tampering-via.html
- http://secunia.com/advisories/47109
- https://issues.apache.org/jira/browse/WW-2264
- https://issues.apache.org/jira/browse/WW-3631
- http://codesecure.blogspot.com/2011/12/struts-2-session-tampering-via.html
- http://secunia.com/advisories/47109
- https://issues.apache.org/jira/browse/WW-2264
- https://issues.apache.org/jira/browse/WW-3631