Bugzilla – Bug 985810
VUL-0: CVE-2016-4436: struts: Action name clean up is error prone
Last modified: 2016-06-21 07:40:31 UTC
https://struts.apache.org/docs/s2-035.html Summary Action name clean up is error prone Who should read this All Struts 2 developers and users Impact of vulnerability Possible wat to craft vulnerable payload Maximum security rating Low Recommendation Upgrade to latest version of the Apache Struts, 2.3.29 or 2.5.1. Affected Software Struts 2.0.0 - Struts 2.3.28.1 Reporters Alvaro Munoz alvaro dot munoz at hpe dot com Sam Ng samn at hpe dot com CVE Identifier CVE-2016-4436 Problem The method used to clean up action name can produce vulnerable payload based on crafted input which can be used by attacker to perform unspecified attack. Solution You should upgrade to latest Struts version or implement your own version of ActionMapper based on source code of receomened Struts versions. Backward compatibility No issues expected when upgrading Struts version. Workaround Implement your own version of clean up method which will throw an exception.
this only affects struts 2, we are only shipping struts 1