Miggo Logo
Miggo Vulnerability Database
CVE-2015-1831

CVE-2015-1831:
Incomplete exclude pattern in Apache Struts

7.5

CVSS Score

Basic Information

CVE ID
CVE-2015-1831
GHSA ID
GHSA-q2cg-xf9p-h457
EPSS Score
0.90245%
CWE
-
Published
5/17/2022
Updated
12/28/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
AV:N/AC:L/Au:N/C:P/I:P/A:P
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.struts:struts2-coremaven>= 2.0.0, < 2.3.20.12.3.20.1
org.apache.struts.xwork:xwork-coremaven>= 2.0.0, < 2.3.20.12.3.20.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from three key insecure configurations:

  1. The params interceptor's explicit excludeParams pattern was insufficient to block dangerous parameters
  2. DefaultExcludedPatternsChecker's hardcoded patterns lacked protections against class property manipulation
  3. Package name exclusion patterns improperly handled javax.* namespace These were all addressed in the patch by:
  • Removing manual excludeParams overrides to use improved defaults
  • Consolidating security patterns with negative lookaheads
  • Adding class-related exclusion patterns
  • Refining javax package exclusions

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** ****ult *x*lu** p*tt*rns (*x*lu**P*r*ms) in *p**** Struts *.*.** *llow r*mot* *tt**k*rs to "*ompromis* int*rn*l st*t* o* *n *ppli**tion" vi* unsp**i*i** v**tors. In Struts *.*.**.* * **tt*r s*t o* *xlu** p*tt*rns w*s ***in**.

Reasoning

T** vuln*r**ility st*ms *rom t*r** k*y ins**ur* *on*i*ur*tions: *. T** p*r*ms int*r**ptor's *xpli*it *x*lu**P*r*ms p*tt*rn w*s insu**i*i*nt to *lo*k **n**rous p*r*m*t*rs *. ****ult*x*lu***P*tt*rns****k*r's **r**o*** p*tt*rns l**k** prot**tions ***ins