CVE-2015-1831: Incomplete exclude pattern in Apache Struts

May 17, 2022 (updated December 28, 2023)

The default exclude patterns (excludeParams) in Apache Struts 2.3.20 allow remote attackers to “compromise internal state of an application” via unspecified vectors.

References

github.com/advisories/GHSA-q2cg-xf9p-h457
github.com/apache/struts/commit/d832747d647df343ed07a58b1b5e540a05a4d51b
nvd.nist.gov/vuln/detail/CVE-2015-1831
struts.apache.org/docs/s2-024.html

Code Behaviors & Features

Detect and mitigate CVE-2015-1831 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →