...
Excerpt |
---|
Input validation bypass using existing default action method. |
Who should read this | All Struts 2 developers and users |
---|---|
Impact of vulnerability | Possible manipulation of return result and bypassing validation |
Maximum security rating |
Moderate | |
Recommendation | Upgrade to Struts 2.3.29. |
---|---|
Affected Software | Struts 2.3.20 - Struts Struts 2.3.28.1 |
Reporter | Takeshi Terada websec02 dot g02 at gmail.com |
CVE Identifier | CVE-2016-4431 |
Problem
Using existing default method it can be possible to bypass internal security mechanism and manipulate return string which can leads to redirecting user to unvalidated location.
...
Some backward incompatibility issues are expected when upgrading to Struts 2.3.28 29 - it can happen that some OGNL expressions stop working because of performing disallowed arithmetic operations and assignments.
...