You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Summary

Cross-Site Scripting Vulnerability in Debug Mode

Who should read this

All Struts 2 developers and users

Impact of vulnerability

Affects of a cross-site scripting vulnerability when debug mode is switched on in production environment.

Maximum security rating

Low

Recommendation

Turn off debug mode in production environment. An upgrade to Struts 2.3.20 is recommended.

Affected Software

Struts 2.0.0 - Struts Struts 2.3.16.3

Reporter

Taki Uchiyama, JPCERT/CC

CVE Identifier

CVE-2015-5169

Problem

When the Struts2 debug mode is turned on, under certain conditions an arbitrary script may be executed in the 'Problem Report' screen.

Solution

It is generally not advisable to have debug mode switched on outside of the development environment. Debug mode should always be turned off in production setup.

Struts > 2.3.20 is not vulnerable to this attack. We recommend upgrading to Struts 2.3.20 or higher.

Please also ready our Security guide - it contains useful informations how to secure your application.

Backward compatibility

No backward compatibility problems are expected.

Workaround

Upgrade to Struts 2.3.20


  • No labels