You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Summary

Generated value of token can be predictable

Who should read this

All Struts 2 developers and users

Impact of vulnerability

 

Maximum security rating

Medium

Recommendation

 

Affected Software

Struts

Reporter

 

CVE Identifier

 

Problem

The attacker fetch any given form where a token is present and can predict the next value of the token used to secure form submission.

Solution

In Struts 2.3.20 a better random generator was used to generate unpredictable values.

Backward compatibility

No backward compatibility problems are expected.

Workaround

Not possible when using <s:token/> tag - you must upgrade to the latest version.


  • No labels