CVE-2016-8738
MEDIUMApache Struts 2.5-2.5.5 - Denial of Service via URLValidator
Title source: llmDescription
In Apache Struts 2.5 through 2.5.5, if an application allows entering a URL in a form field and the built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20180629-0003/
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/94657
Mitigation, Patch, Vendor Advisory x_refsource_confirm
https://struts.apache.org/docs/s2-044.html
Scores
CVSS v3
5.9
EPSS
0.0111
EPSS Percentile
78.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-20
Status
published
Products (8)
apache/struts
2.5
apache/struts
2.5.1
apache/struts
2.5.2
apache/struts
2.5.3
apache/struts
2.5.4
apache/struts
2.5.5
Apache Software Foundation/Apache Struts
2.5 - 2.5.5
org.apache.struts/struts2-core
2.5.0 - 2.5.13Maven
Published
Sep 20, 2017
Tracked Since
Feb 18, 2026