Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2015-0899

CVE-2015-0899:
Improper Input Validation in Apache Struts

7.5

CVSS Score

Basic Information

CVE ID
CVE-2015-0899
GHSA ID
GHSA-cvvx-r33m-v7pq
EPSS Score
-
CWE
CWE-20
Published
5/14/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.struts:struts-coremaven>= 1.1, <= 1.3.10

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability CVE-2015-0899 explicitly references the MultiPageValidator implementation in Apache Struts 1.x. The core issue stems from improper validation of the 'page' parameter, which is used to control multi-page form validation. The validate method in MultiPageValidator is responsible for applying validation rules based on the current page context. By manipulating this parameter, attackers can bypass validation steps. The advisory confirms that even applications not explicitly using MultiPageValidator are vulnerable if they rely on Struts' default validation framework, reinforcing the function's central role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** MultiP***V*li**tor impl*m*nt*tion in *p**** Struts * *.* t*rou** *.*.** *llows r*mot* *tt**k*rs to *yp*ss int*n*** ****ss r*stri*tions vi* * mo*i*i** p*** p*r*m*t*r.

Reasoning

T** vuln*r**ility *V*-****-**** *xpli*itly r***r*n**s t** MultiP***V*li**tor impl*m*nt*tion in *p**** Struts *.x. T** *or* issu* st*ms *rom improp*r v*li**tion o* t** 'p***' p*r*m*t*r, w*i** is us** to *ontrol multi-p*** *orm v*li**tion. T** v*li**t*