1
Candidate: CVE-2016-4430
4
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4430
5
https://struts.apache.org/docs/s2-038.html
7
Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which
8
allows remote attackers to conduct cross-site request forgery (CSRF)
9
attacks via unspecified vectors.
12
sarnold> It's claimed "Struts 2.3.20 - Struts Struts 2.3.28.1" but I see no
13
positive statement that 2.3.19 and earlier weren't affected or perhaps may
14
have missed CSRF protection entirely or just outside of support lifetimes
15
or whatever. So I'm leaving this 'needs-triage'.
18
Discovered-by: Takeshi Terada
21
Patches_libstruts1.2-java:
22
upstream_libstruts1.2-java: released (2.3.29)
23
precise_libstruts1.2-java: ignored (reached end-of-life)
24
precise/esm_libstruts1.2-java: DNE (precise was needs-triage)
25
trusty_libstruts1.2-java: needs-triage
26
vivid/stable-phone-overlay_libstruts1.2-java: DNE
27
vivid/ubuntu-core_libstruts1.2-java: DNE
28
wily_libstruts1.2-java: DNE
29
xenial_libstruts1.2-java: DNE
30
yakkety_libstruts1.2-java: DNE
31
zesty_libstruts1.2-java: DNE
32
artful_libstruts1.2-java: DNE
33
bionic_libstruts1.2-java: DNE
34
devel_libstruts1.2-java: DNE