JVN#95989300
Apache Struts vulnerable to cross-site scripting
Overview
Apache Struts contains a cross-site scripting vulnerability when devMode is left turned on.
Products Affected
- Apache Struts versions prior to 2.3.20
As of April 5, 2013, Apache Software Foundation has announced that Apache Strtus 1 is no longer developed or supported.
Description
Apache Struts provided by the Apache Software Foundation is a software framework for creating Java web applications. Apache Struts contains a cross-site scripting vulnerability when devMode is left turned on.
Impact
An arbitrary script may be executed on the user's web browser.
Solution
Update the software
Update to the latest version according to the information provided by the developer.
Apply a Workaround
If an update cannot be applied, the following workaround can mitigate the affects of this vulnerability.
- Turn off devMode
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| JT Engineering inc. | Not Vulnerable | 2015/09/05 | |
| NEC Corporation | Vulnerable | 2017/07/21 |
| Vendor | Link |
| Apache Software Foundation | Announcements - 26 August 2015 |
| S2-025 - Cross-Site Scripting Vulnerability in Debug Mode and in exposed JSP files | |
| Apache Struts2 Core Developers Guide / Security | |
| devMode |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
Masaki Yoshikawa of LAC Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2015-5169 |
| JVN iPedia |
JVNDB-2015-000125 |
Update History
- 2015/09/07
- JT Engineering inc. updated its vendor status and the section under "Affected System" was revised.
- 2017/07/21
- NEC Corporation update status