CVE-2016-4003 - OpenCVE

Cross-site scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via multi-byte characters in a url-encoded parameter.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Struts

Configuration 1 [-]

cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://struts.apache.org/docs/s2-028.html
http://www.securityfocus.com/bid/86311
http://www.securitytracker.com/id/1035268
https://issues.apache.org/jira/browse/WW-4507
https://nvd.nist.gov/vuln/detail/CVE-2016-4003
https://www.cve.org/CVERecord?id=CVE-2016-4003

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2016-04-12T16:00:00

Updated: 2024-08-06T00:17:29.844Z

Reserved: 2016-04-12T00:00:00

Link: CVE-2016-4003

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2016-04-12T16:59:04.313

Modified: 2018-11-23T16:21:31.633

Link: CVE-2016-4003

Redhat

Severity : Moderate

Publid Date: 2016-04-13T00:00:00Z

Links: CVE-2016-4003 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-03-11T00:00:00", "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via multi-byte characters in a url-encoded parameter."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-11-25T19:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://struts.apache.org/docs/s2-028.html"}, {"name": "86311", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/86311"}, {"name": "1035268", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1035268"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://issues.apache.org/jira/browse/WW-4507"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2016-4003", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Cross-site scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via multi-byte characters in a url-encoded parameter."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://struts.apache.org/docs/s2-028.html", "refsource": "CONFIRM", "url": "http://struts.apache.org/docs/s2-028.html"}, {"name": "86311", "refsource": "BID", "url": "http://www.securityfocus.com/bid/86311"}, {"name": "1035268", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1035268"}, {"name": "https://issues.apache.org/jira/browse/WW-4507", "refsource": "CONFIRM", "url": "https://issues.apache.org/jira/browse/WW-4507"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T00:17:29.844Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://struts.apache.org/docs/s2-028.html"}, {"name": "86311", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/86311"}, {"name": "1035268", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1035268"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://issues.apache.org/jira/browse/WW-4507"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-4003", "datePublished": "2016-04-12T16:00:00", "dateReserved": "2016-04-12T00:00:00", "dateUpdated": "2024-08-06T00:17:29.844Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*", "matchCriteriaId": "E1F46D0C-BEAD-4CF3-827F-28D3BFD0A4AB", "versionEndIncluding": "2.3.24.1", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-site scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via multi-byte characters in a url-encoded parameter."}, {"lang": "es", "value": "Vulnerabilidad de XSS en la funci\u00f3n URLDecoder en JRE en versiones anteriores a 1.8, tal y como se utiliza en Apache Struts 2.x en versiones anteriores a 2.3.28, cuando utiliza una codificaci\u00f3n de p\u00e1gina de un solo byte, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de caracteres multi-byte en un par\u00e1metro con codificaci\u00f3n url."}], "id": "CVE-2016-4003", "lastModified": "2018-11-23T16:21:31.633", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-04-12T16:59:04.313", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://struts.apache.org/docs/s2-028.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/86311"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1035268"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://issues.apache.org/jira/browse/WW-4507"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "struts2: cross-site scripting vulnerability in the URLDecoder function", "id": "1326725", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1326725"}, "csaw": false, "cvss": {"cvss_base_score": "4.3", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "status": "draft"}, "cwe": "CWE-79", "details": ["Cross-site scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via multi-byte characters in a url-encoded parameter."], "name": "CVE-2016-4003", "package_state": [{"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6.0.0", "fix_state": "Not affected", "package_name": "struts2-core", "product_name": "Red Hat JBoss Fuse Service Works 6.0.0"}], "public_date": "2016-04-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2016-4003\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-4003\nhttp://struts.apache.org/docs/s2-028.html"], "statement": "A previous statement by Red Hat related to this CVE, prior to August 2019, said that Apache Struts 2 is not included in any Red Hat products. This earlier statement was incorrect. While Struts 2 is not actively compiled, shipped, used, or enabled in any Red Hat provided final products, and does not cause any vulnerability in the product, struts2-core jars have been included in some products' source code packages. The inclusion was part of an import of the Google Guice repository, which includes struts2-core. Customers that build artefacts from our source code could be at risk. Red Hat will remove these artefacts from source code in future releases.\nThe products that included the Struts 2 artefacts in their source jars:\nFuse Service Works 6.0.0\nSingle Sign On 7.3.0+\nIf you have used the source package from one of these products to build artefacts on your system, you should do the following to remove potentially affected jars:\n1. Run 'find . -name struts2*.jar' under the source location\n2. Remove any files found\nThis will not affect the product, as the jar is included with the source of google-guice, but no functionality requiring struts2 is implemented.", "threat_severity": "Moderate", "upstream_fix": "struts2 2.3.28"}