Miggo Logo

CVE-2016-4465: Apache Struts vulnerable to possible DoS attack when using URLValidator

5.3

CVSS Score
3.0

Basic Information

EPSS Score
0.93886%
Published
5/17/2022
Updated
1/4/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.struts:struts2-coremaven>= 2.3.20, < 2.3.292.3.29
org.apache.struts:struts2-coremaven>= 2.5.0, < 2.5.132.5.13

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper input validation in the URLValidator's regex pattern. The patch modifies the regex from '\/+' to '\/{0,1}' to limit slash repetitions, and adds a test case demonstrating protection against 'http://example.com////////////////////////////////////////////////////////////////////////////////////??'. This directly addresses ReDoS by preventing excessive backtracking in the regex engine.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** URLV*li**tor *l*ss in *p**** Struts * *.*.** t*rou** *.*.**.* *n* *.*.x ***or* *.*.** *llows r*mot* *tt**k*rs to **us* * **ni*l o* s*rvi** vi* * null v*lu* *or * URL *i*l*.

Reasoning

T** vuln*r**ility st*ms *rom improp*r input v*li**tion in t** URLV*li**tor's r***x p*tt*rn. T** p*t** mo*i*i*s t** r***x *rom '\\/+' to '\\/{*,*}' to limit sl*s* r*p*titions, *n* ***s * t*st **s* **monstr*tin* prot**tion ***inst '*ttp://*x*mpl*.*om//