CVE-2012-4386 — Cross-Site Request Forgery in Apache Struts

Description

The token check mechanism in Apache Struts 2.0.0 through 2.3.4 does not properly validate the token name configuration parameter, which allows remote attackers to perform cross-site request forgery (CSRF) attacks by setting the token name configuration parameter to a session attribute.

How to fix CVE-2012-4386

To remediate CVE-2012-4386, upgrade the affected package to a fixed version below.

Maven/org.apache.struts:struts2-core—upgrade to 2.3.4.1 or later

Is CVE-2012-4386 being exploited?

Low — EPSS is 3.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 2.0.0, < 2.3.4.1

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2012-4386
WEBexchange.xforce.ibmcloud.com/vulnerabilities/78182
WEBissues.apache.org/jira/browse/WW-3858
WEBstruts.apache.org/2.x/docs/s2-010.html
WEB