...
Who should read this | All Struts 2 developers |
---|---|
Impact of vulnerability | CSRF protection weakening |
Maximum security rating | Moderate |
Recommendation | Developers should either upgrade to Struts 2.3.4.1 |
Affected Software | Struts 2.0.0 - Struts 2.3.4 |
Original JIRA Tickets | |
Reporter | James K. Williams |
CVE Identifier | CVE-2012-4386 |
Problem
The Struts 2 token mechanism (token tag and token interceptors) were was originally targeted at providing double submit check for forms.
...
As of Struts 2.3.4.1, token session attribute names are decoupled from token parameter names by namespace prefixing.
Upgrade Please upgrade to Struts 2.3.4.1.