Published:2006/04/26 Last Updated:2008/05/21
JVN#72225922
Apache Struts Validator allows to bypass input data validation
Overview
Apache Struts is a Web application framework from the Apache Software Foundation.
Apache Struts contains a vulnerability allowing to bypass input data validation by the Validator.
Products Affected
- Apache Struts 1.2.8 and earlier
Description
Impact
Depending on the web application, an attacker may be able to manipulate unexpected operations by bypassing validation of input data. For example, unintended format data may be saved.
Solution
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| RICOH COMPANY, LTD. | Not Vulnerable | 2006/05/10 | |
| NEC Corporation | Vulnerable, investigating | 2006/08/31 |
| Vendor | Link |
| Apache Software Foundation |
http://struts.apache.org/1.2.9/userGuide/release-notes.html |
References
JPCERT/CC Addendum
Credit
Masato Anzai of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendors under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory | |
| CPNI Advisory | |
| TRnotes | |
| CVE |
CVE-2006-1546 |
| JVN iPedia |
JVNDB-2006-000615 |