URL Validation Vulnerability in Apache Struts by The Apache Software Foundation
CVE-2016-8738

5.9MEDIUM

Key Information:

Vendor

Apache
Status
Apache Struts
Vendor
CVE Published:
20 September 2017

What is CVE-2016-8738?

In versions of Apache Struts from 2.5 to 2.5.5, an application susceptible to this vulnerability may expose itself to a denial of service attack through improper handling of URL input. If an application utilizes the built-in URLValidator without adequate checks, an attacker could craft a malicious URL that, when validated, could cause the server to become unresponsive. This poses significant risks to web application integrity and availability, thereby necessitating prompt remediation.

Affected Version(s)

Apache Struts 2.5 - 2.5.5

References

https://security.netapp.com/advisory/ntap-20180629-0003/
x_refsource_CONFIRM
http://www.securityfocus.com/bid/94657
vdb-entryx_refsource_BID
https://struts.apache.org/docs/s2-044.html
x_refsource_CONFIRM

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2016-8738 : URL Validation Vulnerability in Apache Struts by The Apache Software Foundation