CVE-2015-0899 — libstruts1.2-java - security update

Description

The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter.

How to fix CVE-2015-0899

To remediate CVE-2015-0899, upgrade the affected package to a fixed version below.

Debian/libstruts1.2-java—upgrade to 1.2.9-4+deb6u2 or later
—upgrade to 1.2.9-5+deb7u2 or later
—no fix listed
—no fix listed

Is CVE-2015-0899 being exploited?

Likely — EPSS is 69.5%, placing CVE-2015-0899 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (4)

from 0, < 1.2.9-4+deb6u2
from 0, < 1.2.9-5+deb7u2
>= 1.1, <= 1.3.10
>= 1.1, <= 1.2.9

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2015-0899
PATCHgithub.com/apache/struts
WEBjvndb.jvn.jp/jvndb/JVNDB-2015-000042
WEBjvn.jp/en/jp/JVN86448949/index.html
WEBen.osdn.jp/projects/terasoluna/wiki/StrutsPatch2-EN