CVE-2014-7809

EPSS 7.5%

Cross-Site Request Forgery in Apache Struts

Published: 5/14/2022Modified: 12/6/2024

Description

Apache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable <s:token/> values, which allows remote attackers to bypass the CSRF protection mechanism.

Affected packages (1)

Maven/org.apache.struts:struts2-corefrom 0, < 2.3.20

References (8)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2014-7809
PATCHhttps://github.com/apache/struts
WEBhttp://packetstormsecurity.com/files/129421/Apache-Struts-2.3.20-Security-Fixes.html
WEBhttps://github.com/apache/struts/commit/1f301038a751bf16e525607c3db513db835b2999
WEBhttp://struts.apache.org/docs/s2-023.html
WEBhttps://web.archive.org/web/20150201180327/http://www.securitytracker.com/id/1031309
WEBhttps://web.archive.org/web/20150820131625/http://www.securityfocus.com/bid/71548
WEBhttps://web.archive.org/web/20201023114849/http://www.securityfocus.com/archive/1/534175/100/0/threaded