Configuration in org.apache.struts:struts2-assembly

CVE-2013-4316

org.apache.struts:struts2-assembly
org.apache.struts:struts2-core
org.apache.struts:struts2-parent
org.apache.struts:struts2-rest-plugin

High

10/10

Summary

Apache Struts through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors.

Access Complexity: LOW
AccessVector: NETWORK
Authentication: NONE
Integrity Impact: COMPLETE
Confidentiality Impact: COMPLETE
Availability Impact: COMPLETE

CWE-16 - Configuration

Weaknesses in this category are typically introduced during the configuration of the software.

References

Advisory Timeline

Published Sep 30, 2013