CVE-2014-7809 — Cross-Site Request Forgery in Apache Struts

Description

Apache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable <s:token/> values, which allows remote attackers to bypass the CSRF protection mechanism.

How to fix CVE-2014-7809

To remediate CVE-2014-7809, upgrade the affected package to a fixed version below.

Maven/org.apache.struts:struts2-core—upgrade to 2.3.20 or later

Is CVE-2014-7809 being exploited?

Moderate — EPSS is 7.5%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

from 0, < 2.3.20

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2014-7809
PATCHgithub.com/apache/struts
WEBpacketstormsecurity.com/files/129421/Apache-Struts-2.3.20-Security-Fixes.html
WEBgithub.com/apache/struts/commit/1f301038a751bf16e525607c3db513db835b2999