CVE-2006-1547

HIGH KEV

Apache Struts < 1.2.9 - Denial of Service via Multipart Form Parameter Manipulation

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2006-1547 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added January 21, 2022.

Description

ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9 with BeanUtils 1.7 allows remote attackers to cause a denial of service via a multipart/form-data encoded form with a parameter name that references the public getMultipartRequestHandler method, which provides further access to elements in the CommonsMultipartRequestHandler implementation and BeanUtils.

References (10)

Core 10
Core References
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1015856
Broken Link, Exploit, Patch, Vendor Advisory x_refsource_confirm
http://struts.apache.org/struts-doc-1.2.9/userGuide/release-notes.html
Broken Link vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/1205
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/17342
Broken Link third-party-advisory x_refsource_secunia
http://secunia.com/advisories/19493
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/25613
Broken Link third-party-advisory x_refsource_secunia
http://secunia.com/advisories/20117
Broken Link, Issue Tracking x_refsource_confirm
http://issues.apache.org/bugzilla/show_bug.cgi?id=38534

Scores

CVSS v3 7.5
EPSS 0.2219
EPSS Percentile 95.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact partial

Details

CISA KEV 2022-01-21
VulnCheck KEV 2022-01-21
InTheWild.io 2022-01-21
ENISA EUVD EUVD-2022-3054
CWE
CWE-749
Status published
Products (2)
apache/struts < 1.2.9
struts/struts 0 - 1.2.9Maven
Published Mar 30, 2006
KEV Added Jan 21, 2022
Tracked Since Feb 18, 2026