← back
CVE-2011-5057

CVE-2011-5057

EPSS 28.6%
Apache Struts 2.3.1.2 and earlier, 2.3.19-2.3.23, provides interfaces that do not properly restrict access to collections such as the session and request collections, which might allow remote attackers to modify run-time data values via a crafted parameter to an application that implements an affected interface, as demonstrated by the SessionAware, RequestAware, ApplicationAware, ServletRequestAware, ServletResponseAware, and ParameterAware interfaces. NOTE: the vendor disputes the significance of this report because of an "easy work-around in existing apps by configuring the interceptor."
Affected products
n/a · n/a
public PoCs found1
exploitdbwww.exploit-db.com/exploits/36426unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://codesecure.blogspot.com/2011/12/struts-2-session-tampering-via.htmlhttp://secunia.com/advisories/47109https://issues.apache.org/jira/browse/WW-2264https://issues.apache.org/jira/browse/WW-3631