CVE-2016-4465 — Apache Struts vulnerable to possible DoS attack when using URLValidator

Description

The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.13 allows remote attackers to cause a denial of service via a null value for a URL field.

How to fix CVE-2016-4465

To remediate CVE-2016-4465, upgrade the affected package to a fixed version below.

Maven/org.apache.struts:struts2-core—upgrade to 2.3.29 or later

Is CVE-2016-4465 being exploited?

Moderate — EPSS is 10.4%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

>= 2.3.20, < 2.3.29

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-4465
PATCHgithub.com/apache/struts
WEBjvndb.jvn.jp/jvndb/JVNDB-2016-000114
WEBjvn.jp/en/jp/JVN12352818/index.html
WEBbugzilla.redhat.com/show_bug.cgi?id=1348253