CVE-2016-4465: Apache Struts vulnerable to possible DoS attack when using URLValidator
5.3
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.93886%
CWE
Published
5/17/2022
Updated
1/4/2024
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.apache.struts:struts2-core | maven | >= 2.3.20, < 2.3.29 | 2.3.29 |
org.apache.struts:struts2-core | maven | >= 2.5.0, < 2.5.13 | 2.5.13 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper input validation in the URLValidator's regex pattern. The patch modifies the regex from '\/+' to '\/{0,1}' to limit slash repetitions, and adds a test case demonstrating protection against 'http://example.com////////////////////////////////////////////////////////////////////////////////////??'. This directly addresses ReDoS by preventing excessive backtracking in the regex engine.