Cross-site Request Forgery (CSRF) Affecting org.apache.struts:struts2-core package, versions [2.0.0, 2.3.20)
Snyk CVSS
Attack Complexity
Low
User Interaction
Required
Threat Intelligence
EPSS
0.19% (57th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGAPACHESTRUTS-30057
- published 8 Dec 2014
- disclosed 8 Dec 2014
- credit Philippe Arteau
Introduced: 8 Dec 2014
CVE-2014-7809 Open this link in a new tabOverview
It uses predictable <s:token/> values, which allows remote attackers to bypass the CSRF protection mechanism.
References
- https://github.com/apache/struts/commit/1f301038a751bf16e525607c3db513db835b2999%23diff-fdda7326ddc2f0d989ed7beaf9f67982
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7809
- http://blog.h3xstream.com/2014/12/predicting-struts-csrf-token-cve-2014.html
- http://struts.apache.org/docs/s2-023.html