CVE-2016-4430
Publication date 4 July 2016
Last updated 24 July 2024
Ubuntu priority
Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| libstruts1.2-java | ||
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
Notes
seth-arnold
It's claimed "Struts 2.3.20 - Struts Struts 2.3.28.1" but I see no positive statement that 2.3.19 and earlier weren't affected or perhaps may have missed CSRF protection entirely or just outside of support lifetimes or whatever. So I'm leaving this 'needs-triage'.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
8.8 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |