[MAVEN:GHSA-RPJ9-R897-WC6Q] Open redirect in Apache Struts
Severity
Moderate
Affected Packages
1
Fixed Packages
1
CVEs
1
The Struts 2 DefaultActionMapper used to support a method for short-circuit navigation state changes by prefixing parameters with "redirect:" or "redirectAction:", followed by a desired redirect target expression. This mechanism was intended to help with attaching navigational information to buttons within forms. Attackers could use this to redirect to arbitrary web sites and conduct phishing attacks.
In Struts 2 before 2.3.15.1 the information following "redirect:" or "redirectAction:" can easily be manipulated to redirect to an arbitrary location.
Package | Affected Version |
---|---|
pkg:maven/org.apache.struts/struts2-core | < 2.3.15.1 |
Package | Fixed Version |
---|---|
pkg:maven/org.apache.struts/struts2-core | = 2.3.15.1 |
- ID
- MAVEN:GHSA-RPJ9-R897-WC6Q
- Severity
- moderate
- URL
- https://github.com/advisories/GHSA-rpj9-r897-wc6q
- Published
-
2022-05-17T03:13:10
(2 years ago) - Modified
-
2023-12-28T17:26:34
(8 months ago) - Rights
- Maven Security Team
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Affected | pkg:maven/org.apache.struts/struts2-core | org.apache.struts | struts2-core | < 2.3.15.1 | |||
Fixed | pkg:maven/org.apache.struts/struts2-core | org.apache.struts | struts2-core | = 2.3.15.1 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |