Red Hat Bugzilla – Bug 1013030
CVE-2013-4310 struts: broken access control vulnerability
Last modified: 2013-10-18 13:08:25 EDT
Struts 2 action mapping mechanism supports the special parameter prefix action: which is intended to help with attaching navigational information to buttons within forms.
In Struts 2 before 22.214.171.124, under certain conditions this can be used to bypass security constraints. More details will available later on when the patch will be widely adopted.
Upstream bug report: https://issues.apache.org/jira/browse/WW-4200
actual Struts version in fedora is 1.3.10
the problem is present only in Struts 2.0.0 and Struts 126.96.36.199
please close this bug
Yes, upstream indicates 2.0.0+ but that is only because 1.x is no longer supported (so they never indicate whether it is affected). Did you see the patch that corrects this issue and verify that it doesn't apply to 1.x? Or do you have something more concrete than just upstream's "affected versions" value to substantiate this claim?
not applicabile for 1.x series (required by springframework)
the files that should be patched are not available in 1.x
structs2 breaks compatibility also with the following package
velocity-tools (springframework BR/R)
i will not update structs2, until depend on tomcat6 apis, or SpringFramework and Velocity tools do not require more
Not Vulnerable. This issue only affects struts 2, it does not affect the versions of struts as shipped with various Red Hat products.
Struts 188.8.131.52 GA was announced yesterday, noting this issue as fixed, so possibly the previous fix was not sufficient:
(In reply to Vincent Danen from comment #10)
> Struts 184.108.40.206 GA was announced yesterday, noting this issue as fixed, so
> possibly the previous fix was not sufficient:
the bug hit only the 2.x series, and if read the previous comments, you can give an answer
(In reply to gil cattaneo from comment #11)
> the bug hit only the 2.x series, and if read the previous comments, you can
> give an answer
Yes, I'm aware of that. I was just noting followup information, not implying that 1.x was affected.