Published:2020/08/25  Last Updated:2020/08/25

Apache Struts 2 vulnerable to denial-of-service (DoS)


Apache Struts 2 contains a denial-of-service (DoS) vulnerability.

Products Affected

  • Struts 2.0.0 to 2.5.20


Apache Struts 2 provided by The Apache Software Foundation contains a denial-of-service (DoS) vulnerability (CWE-400).


An attacker may be able to cause a denial-of-service (DoS).


Update the Software
Update to the latest version according to the information provided by the developer

Apply a Workaround
Apply the following workaround to mitigate the impact of this vulnerability:

Add and java.nio. to the value attribute of the struts.excludedPackageNames constant in struts-default.xml

However, it is recommended by the developer to update the software.

Vendor Status

Vendor Status Last Update Vendor Notes
Azbil Corporation Vulnerability Information Provided 2020/08/25
BizMobile Inc. Not Vulnerable 2020/08/25
FUJITSU LIMITED Not Vulnerable 2020/08/25
JT Engineering inc. Not Vulnerable 2020/08/25
JustSystems Corporation Vulnerability Information Provided 2020/08/25
JVCKENWOOD Corporation Vulnerability Information Provided 2020/08/25
NEC Corporation Not Vulnerable, investigating 2020/08/25
NTT DATA Corporation Not Vulnerable 2020/08/25
Sony Corporation Vulnerability Information Provided 2020/08/25
Sumitomo Electric Industries, LTD. Not Vulnerable 2020/08/25
Toshiba Corporation Vulnerable, investigating 2020/08/25
TOSHIBA TEC CORPORATION Not Vulnerable 2020/08/25
Vendor Link
The Apache Software Foundation S2-060 - Apache Struts 2 Wiki - Apache Software Foundation


JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Base Score: 5.9
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
Base Score: 4.3
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)


Takeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Reports
CERT Advisory
CPNI Advisory
CVE CVE-2019-0233
JVN iPedia JVNDB-2020-000055