Published: 08/01/2012 Updated: 11/04/2025

Apache Struts 2.3.1.2 and previous versions, 2.3.19-2.3.23, provides interfaces that do not properly restrict access to collections such as the session and request collections, which might allow remote malicious users to modify run-time data values via a crafted parameter to an application that implements an affected interface, as demonstrated by the SessionAware, RequestAware, ApplicationAware, ServletRequestAware, ServletResponseAware, and ParameterAware interfaces. NOTE: the vendor disputes the significance of this report because of an "easy work-around in existing apps by configuring the interceptor."

Vulnerable Product	Search on Vulmon	Subscribe to Product
apache struts

source: wwwsecurityfocuscom/bid/50940/info Apache Struts is prone to a security-bypass vulnerability that allows session tampering Successful attacks will allow attackers to bypass security restrictions and gain unauthorized access Apache Struts versions 209 and 2181 are vulnerable; other versions may also be affected w ...

CWE-264 https://nvd.nist.gov https://www.exploit-db.com/exploits/36426/https://www.first.org/epss http://codesecure.blogspot.com/2011/12/struts-2-session-tampering-via.html http://secunia.com/advisories/47109 https://issues.apache.org/jira/browse/WW-2264 https://issues.apache.org/jira/browse/WW-3631 http://codesecure.blogspot.com/2011/12/struts-2-session-tampering-via.html http://secunia.com/advisories/47109 https://issues.apache.org/jira/browse/WW-2264 https://issues.apache.org/jira/browse/WW-3631

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Product List Vendor List Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2011-5057

Vulnerability Summary

Exploits

References

Vulmon Search

About

Products

Connect