QID 376432

Apache Struts is a free, open-source, MVC framework for creating elegant, modern Java web applications. It favors convention over configuration, is extensible using a plugin architecture, and ships with plugins to support REST, AJAX and JSON.

ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9 with BeanUtils 1.7 allows remote attackers to cause a denial of service via a multipart/form-data encoded form with a parameter name that references the public getMultipartRequestHandler method, which provides further access to elements in the CommonsMultipartRequestHandler implementation and BeanUtils.

Affected Versions:
Apache Struts versions prior to 1.2.9

QID detection logic (Authenticated):
Detection looks for "struts core" jar files in deployed web applications directories and lib folder of Tomcat server based on running processes. Once it successfully finds the jar file, version information is extracted from that jar files and compared.
Please note: Our detection does not support if the applications are deployed with server configuration unpackWARs=false.

Successful exploitation of the vulnerability may allow an attacker to cause Denial Of Service.