Bugzilla – Bug 778464
VUL-1: CVE-2012-4387: apache-struts: S2-010 and S2-011
Last modified: 2019-05-01 15:43:25 UTC
Via OSS-sec: Hi, Apache Struts 2.3.4.1 fixes the vulnerabilities described in S2-010 (CSRF) and S2-011 (DoS). Could CVE ids be assigned please? [1] http://struts.apache.org/2.x/docs/s2-010.html [2] http://struts.apache.org/2.x/docs/s2-011.html Sincerely, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net
Also via OSS-sec: On 09/01/2012 11:35 AM, Raphael Geissert wrote: > Hi, > > Apache Struts 2.3.4.1 fixes the vulnerabilities described in S2-010 > (CSRF) and S2-011 (DoS). > > Could CVE ids be assigned please? Yes, confirmed struts 2.3.4.1 was released August 11, 2012. ==== > [1] http://struts.apache.org/2.x/docs/s2-010.html When using Struts 2 token mechanism for CSRF protection, token check may be bypassed by misusing known session attributes Please use CVE-2012-4386 for this issue. ==== > [2] http://struts.apache.org/2.x/docs/s2-011.html Long request parameter names might significantly promote the effectiveness of DOS attacks Please use CVE-2012-4387 for this issue. These don't appear to affect struts 1.2.x/1.3.x. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
bugbot adjusting priority
not affected