[MAVEN:GHSA-RPJ9-R897-WC6Q] Open redirect in Apache Struts

Severity Moderate

Affected Packages 1

Fixed Packages 1

CVEs 1

The Struts 2 DefaultActionMapper used to support a method for short-circuit navigation state changes by prefixing parameters with "redirect:" or "redirectAction:", followed by a desired redirect target expression. This mechanism was intended to help with attaching navigational information to buttons within forms. Attackers could use this to redirect to arbitrary web sites and conduct phishing attacks.

In Struts 2 before 2.3.15.1 the information following "redirect:" or "redirectAction:" can easily be manipulated to redirect to an arbitrary location.

Package	Affected Version
pkg:maven/org.apache.struts/struts2-core	< 2.3.15.1

Package	Fixed Version
pkg:maven/org.apache.struts/struts2-core	= 2.3.15.1

ID: MAVEN:GHSA-RPJ9-R897-WC6Q
Severity: moderate
URL: https://github.com/advisories/GHSA-rpj9-r897-wc6q
Published: 2022-05-17T03:13:10
(2 years ago)
Modified: 2023-12-28T17:26:34
(8 months ago)
Rights: Maven Security Team

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2013-2248
			http://struts.apache.org/release/2.3.x/docs/s2-017.html
			https://github.com/apache/struts/commit/3cfe34fefedcf0fdcfcb061c0aea34a715b7de6
			https://github.com/apache/struts/commit/630e1ba065a8215c4e9ac03bfb09be9d655c2b6e
			https://issues.apache.org/jira/browse/WW-4140
			https://github.com/advisories/GHSA-rpj9-r897-wc6q

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/org.apache.struts/struts2-core	org.apache.struts	struts2-core	< 2.3.15.1
Fixed	pkg:maven/org.apache.struts/struts2-core	org.apache.struts	struts2-core	= 2.3.15.1

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date