CVE-2016-1182

Published on: 07/04/2016 12:00:00 AM UTC

Last Modified on: 03/23/2021 11:27:05 PM UTC

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Certain versions of Struts from Apache contain the following vulnerability:

ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899.

  • CVE-2016-1182 has been assigned by URL Logo [email protected] to track the vulnerability - currently rated as HIGH severity.

CVSS3 Score: 8.2 - HIGH

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
NETWORK LOW NONE NONE
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED NONE LOW HIGH

CVSS2 Score: 6.4 - MEDIUM

Access
Vector
Access
Complexity
Authentication
NETWORK LOW NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
NONE PARTIAL PARTIAL

CVE References

Description Tags Link
CVE-2016-1182 Third Party Advisory
security-tracker.debian.org
text/html
URL Logo CONFIRM security-tracker.debian.org/tracker/CVE-2016-1182
No Description Provided Third Party Advisory
VDB Entry
Vendor Advisory
jvndb.jvn.jp
text/html
URL Logo JVNDB JVNDB-2016-000097
Oracle Critical Patch Update - July 2016 Patch
Third Party Advisory
www.oracle.com
text/html
URL Logo CONFIRM www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
Apache Struts CVE-2016-1182 Security Bypass Vulnerability Third Party Advisory
VDB Entry
cve.report (archive)
text/html
URL Logo BID 91067
JVN#65044642: Apache Struts 1 vulnerable to input validation bypass Vendor Advisory
jvn.jp
text/xml
URL Logo JVN JVN#65044642
Oracle July 2016 Critical Patch Update Multiple Vulnerabilities Third Party Advisory
VDB Entry
cve.report (archive)
text/html
URL Logo BID 91787
Oracle Critical Patch Update Advisory - July 2020 www.oracle.com
text/html
URL Logo MISC www.oracle.com/security-alerts/cpujul2020.html
Oracle Critical Patch Update - January 2018 Patch
www.oracle.com
text/html
URL Logo CONFIRM www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
CPU July 2018 Patch
www.oracle.com
text/html
URL Logo CONFIRM www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
Oracle Critical Patch Update - October 2016 Patch
Third Party Advisory
www.oracle.com
text/html
URL Logo CONFIRM www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
Fixed CVE-2016-1181 and CVE-2016-1182 · kawasima/[email protected] · GitHub Issue Tracking
Patch
github.com
text/html
URL Logo CONFIRM github.com/kawasima/struts1-forever/commit/eda3a79907ed8fcb0387a0496d0cb14332f250e8
April 2018 Apache Struts Vulnerabilities in NetApp Products | NetApp Product Security Third Party Advisory
security.netapp.com
text/html
URL Logo CONFIRM security.netapp.com/advisory/ntap-20180629-0006/
Oracle Critical Patch Update - January 2019 Patch
www.oracle.com
text/html
URL Logo CONFIRM www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
1343540 – (CVE-2016-1182) CVE-2016-1182 struts: Improper input validation in Validator Issue Tracking
bugzilla.redhat.com
text/html
URL Logo CONFIRM bugzilla.redhat.com/show_bug.cgi?id=1343540
Oracle Critical Patch Update - July 2019 www.oracle.com
text/html
URL Logo MISC www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
CPU Oct 2018 Patch
www.oracle.com
text/html
URL Logo CONFIRM www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
Oracle Critical Patch Update Advisory - January 2020 www.oracle.com
text/html
URL Logo MISC www.oracle.com/security-alerts/cpujan2020.html
Oracle Critical Patch Update - October 2017 Patch
www.oracle.com
text/html
URL Logo CONFIRM www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
Apache Struts ActionForm and Validator Bugs Let Remote Users Deny Service, Obtain Potentially Sensitive Information, and Execute Arbitrary Code - SecurityTracker Third Party Advisory
VDB Entry
www.securitytracker.com
text/html
URL Logo SECTRACK 1036056
Oracle Critical Patch Update Advisory - April 2019 www.oracle.com
text/html
URL Logo MISC www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
ApplicationApacheStruts1.0AllAllAll
ApplicationApacheStruts1.0beta1AllAll
ApplicationApacheStruts1.0beta2AllAll
ApplicationApacheStruts1.0beta3AllAll
ApplicationApacheStruts1.0.1AllAllAll
ApplicationApacheStruts1.0.2AllAllAll
ApplicationApacheStruts1.1AllAllAll
ApplicationApacheStruts1.1b1AllAll
ApplicationApacheStruts1.1b2AllAll
ApplicationApacheStruts1.1b3AllAll
ApplicationApacheStruts1.1rc1AllAll
ApplicationApacheStruts1.1rc2AllAll
ApplicationApacheStruts1.2.0AllAllAll
ApplicationApacheStruts1.2.1AllAllAll
ApplicationApacheStruts1.2.2AllAllAll
ApplicationApacheStruts1.2.3AllAllAll
ApplicationApacheStruts1.2.4AllAllAll
ApplicationApacheStruts1.2.5AllAllAll
ApplicationApacheStruts1.2.6AllAllAll
ApplicationApacheStruts1.2.7AllAllAll
ApplicationApacheStruts1.2.8AllAllAll
ApplicationApacheStruts1.2.9AllAllAll
ApplicationApacheStruts1.3.10AllAllAll
ApplicationApacheStruts1.3.5AllAllAll
ApplicationApacheStruts1.3.6AllAllAll
ApplicationApacheStruts1.3.7AllAllAll
ApplicationApacheStruts1.3.8AllAllAll
ApplicationApacheStruts1.3.9AllAllAll
ApplicationApacheStruts1.0AllAllAll
ApplicationApacheStruts1.0beta1AllAll
ApplicationApacheStruts1.0beta2AllAll
ApplicationApacheStruts1.0beta3AllAll
ApplicationApacheStruts1.0.1AllAllAll
ApplicationApacheStruts1.0.2AllAllAll
ApplicationApacheStruts1.1AllAllAll
ApplicationApacheStruts1.1b1AllAll
ApplicationApacheStruts1.1b2AllAll
ApplicationApacheStruts1.1b3AllAll
ApplicationApacheStruts1.1rc1AllAll
ApplicationApacheStruts1.1rc2AllAll
ApplicationApacheStruts1.2.0AllAllAll
ApplicationApacheStruts1.2.1AllAllAll
ApplicationApacheStruts1.2.2AllAllAll
ApplicationApacheStruts1.2.3AllAllAll
ApplicationApacheStruts1.2.4AllAllAll
ApplicationApacheStruts1.2.5AllAllAll
ApplicationApacheStruts1.2.6AllAllAll
ApplicationApacheStruts1.2.7AllAllAll
ApplicationApacheStruts1.2.8AllAllAll
ApplicationApacheStruts1.2.9AllAllAll
ApplicationApacheStruts1.3.10AllAllAll
ApplicationApacheStruts1.3.5AllAllAll
ApplicationApacheStruts1.3.6AllAllAll
ApplicationApacheStruts1.3.7AllAllAll
ApplicationApacheStruts1.3.8AllAllAll
ApplicationApacheStruts1.3.9AllAllAll
  • cpe:2.3:a:apache:struts:1.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.0:beta1:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.0:beta2:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.0:beta3:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.0.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.0.2:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.1:b1:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.1:b2:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.1:b3:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.1:rc1:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.1:rc2:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.2.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.2.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.2.2:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.2.3:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.2.4:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.2.5:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.2.6:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.2.7:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.2.8:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.2.9:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.3.10:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.3.5:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.3.6:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.3.7:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.3.8:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.3.9:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.0:beta1:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.0:beta2:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.0:beta3:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.0.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.0.2:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.1:b1:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.1:b2:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.1:b3:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.1:rc1:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.1:rc2:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.2.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.2.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.2.2:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.2.3:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.2.4:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.2.5:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.2.6:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.2.7:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.2.8:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.2.9:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.3.10:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.3.5:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.3.6:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.3.7:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.3.8:*:*:*:*:*:*:*:
  • cpe:2.3:a:apache:struts:1.3.9:*:*:*:*:*:*:*: