Vulnerability Details CVE-2015-0899
The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.869
EPSS Ranking 99.4%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
- http://jvn.jp/en/jp/JVN86448949/index.html
- http://jvndb.jvn.jp/jvndb/JVNDB-2015-000042
- http://www.debian.org/security/2016/dsa-3536
- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
- http://www.securityfocus.com/bid/74423
- https://en.osdn.jp/projects/terasoluna/wiki/StrutsPatch2-EN
- https://security.netapp.com/advisory/ntap-20180629-0006/
- http://jvn.jp/en/jp/JVN86448949/index.html
- http://jvndb.jvn.jp/jvndb/JVNDB-2015-000042
- http://www.debian.org/security/2016/dsa-3536
- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
- http://www.securityfocus.com/bid/74423
- https://en.osdn.jp/projects/terasoluna/wiki/StrutsPatch2-EN
- https://security.netapp.com/advisory/ntap-20180629-0006/
Products affected by CVE-2015-0899
-
cpe:2.3:a:apache:struts:1.0
-
cpe:2.3:a:apache:struts:1.0.2
-
cpe:2.3:a:apache:struts:1.1
-
cpe:2.3:a:apache:struts:1.2.2
-
cpe:2.3:a:apache:struts:1.2.4
-
cpe:2.3:a:apache:struts:1.2.6
-
cpe:2.3:a:apache:struts:1.2.7
-
cpe:2.3:a:apache:struts:1.2.8
-
cpe:2.3:a:apache:struts:1.2.9
-
cpe:2.3:a:apache:struts:1.3.10
-
cpe:2.3:a:apache:struts:1.3.5
-
cpe:2.3:a:apache:struts:1.3.8