You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 10 Current »

Security impact levels (WIP)

The Apache Struts Security Team rates the impact of each security flaw that affects Struts. We've chosen a rating scale quite similar to those used by other Apache projects in order to be consistent. Basically the goal of the rating system is to answer the question How worried should I be about this vulnerability?

Critical

A vulnerability rated with a Critical impact is one which could potentially be exploited by a remote attacker to get Struts to execute an arbitrary code. These are the sorts of vulnerabilities that could be exploited automatically by worms/hackers regardless if developers paid attention to keep their code safe and followed advices from the Security Guide.

Important

A vulnerability rated as Important impact is one which could result in the compromise of data or availability of the application. For Struts this includes issues that allow an easy remote code execution because developers didn't pay attention to treat users' inputs as unsecure and used it in the application logic.

Moderate

A vulnerability is likely to be rated as Moderate if there is significant mitigation to make the issue less of an impact. This might be because the flaw does not affect likely configurations, or it is a configuration that isn't widely used, or where a remote user must be authenticated in order to exploit the issue.

Low

All other security flaws are classed as a Low impact. This rating is used for issues that are believed to be extremely hard to exploit, or where an exploit gives minimal consequences.

Published bulletins

The following security bulletins are available:

  • No labels