Vulnerability Name:
CVE-2015-5169 (CCN-105879)
Assigned:
2015-08-26
Published:
2015-08-26
Updated:
2018-11-23
Summary:
Cross-site scripting (XSS) vulnerability in Apache Struts before 2.3.20.
CVSS v3 Severity:
6.1 Medium
(CVSS v3.1 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
)
5.3 Medium
(Temporal CVSS v3.1 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C
)
Exploitability Metrics:
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
Required
Scope:
Scope (S):
Changed
Impact Metrics:
Confidentiality (C):
Low
Integrity (I):
Low
Availibility (A):
None
6.1 Medium
(CCN CVSS v3.1 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
)
5.3 Medium
(CCN Temporal CVSS v3.1 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C
)
Exploitability Metrics:
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
Required
Scope:
Scope (S):
Changed
Impact Metrics:
Confidentiality (C):
Low
Integrity (I):
Low
Availibility (A):
None
CVSS v2 Severity:
4.3 Medium
(CVSS v2 Vector:
AV:N/AC:M/Au:N/C:N/I:P/A:N
)
Exploitability Metrics:
Access Vector (AV):
Network
Access Complexity (AC):
Medium
Authentication (Au):
None
Impact Metrics:
Confidentiality (C):
None
Integrity (I):
Partial
Availibility (A):
None
5.5 Medium
(CCN CVSS v2 Vector:
AV:N/AC:L/Au:S/C:P/I:P/A:N
)
Exploitability Metrics:
Access Vector (AV):
Network
Access Complexity (AC):
Low
Athentication (Au):
Single_Instance
Impact Metrics:
Confidentiality (C):
Partial
Integrity (I):
Partial
Availibility (A):
None
Vulnerability Type:
CWE-79
Vulnerability Consequences:
Cross-Site Scripting
References:
Source: MITRE
Type: CNA
CVE-2015-5169
Source: CCN
Type: JVN#95989300
Apache Struts vulnerable to cross-site scripting
Source: JVN
Type: Third Party Advisory, VDB Entry
JVN#95989300
Source: JVNDB
Type: Third Party Advisory, VDB Entry
JVNDB-2015-000125
Source: CCN
Type: Apache Struts 2 Documentation S2-025
Cross-Site Scripting Vulnerability in Debug Mode
Source: CCN
Type: IBM Security Bulletin 1968765
IBM Connections Mobile Server Security Refresh for Apache Struts CVE-ID: CVE-2015-5169 and CVE-2015-2992
Source: BID
Type: Third Party Advisory, VDB Entry
76625
Source: CONFIRM
Type: Issue Tracking, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1260087
Source: XF
Type: UNKNOWN
apache-struts-cve20155169-xss(105879)
Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20180629-0003/
Source: CONFIRM
Type: Vendor Advisory
https://struts.apache.org/docs/s2-025.html
Source: CCN
Type: IBM Security Bulletin 6620351 (Call Center for Commerce)
IBM Call Center and Apache Struts Struts upgrade strategy (various CVEs, see below)
Source: CCN
Type: IBM Security Bulletin 6620355 (Sterling Order Management)
IBM Sterling Order Management Apache Struts upgrade strategy (various CVEs, see below)
Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2015-5169
Vulnerable Configuration:
Configuration 1
:
cpe:/a:apache:struts:*:*:*:*:*:*:*:*
(Version >= 2.0.0 and <= 2.3.16.3)
Configuration CCN 1
:
cpe:/a:apache:struts:2.0.8:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.0.1:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.0.5:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.0.6:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.0.9:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.0.10:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.0.11:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.0.11.1:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.0.11.2:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.1:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.0.0:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.0.12:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.0.13:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.0.14:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.0.2:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.0.3:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.0.4:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.0.7:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.1.0:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.1.1:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.1.2:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.1.3:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.1.4:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.1.5:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.1.6:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.1.8:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.1.8.1:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.2.1:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.2.1.1:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.2.3:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.3.1:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.3.14.3:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.3.13:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.3.14:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.3.15:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.3.15.3:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.2.3.1:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.3.8:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.3.7:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.3.4.1:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.3.4:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.3.3:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.3.1.2:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.3.1.1:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.3.12:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.3.14.2:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.3.14.1:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.3.15.1:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.3.16:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.3.15.2:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.3.16.1:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.3.16.2:*:*:*:*:*:*:*
OR
cpe:/a:apache:struts:2.3.16.3:*:*:*:*:*:*:*
AND
cpe:/a:ibm:connections:4.5:*:*:*:*:*:*:*
OR
cpe:/a:ibm:connections:3.0.1.1:*:*:*:*:*:*:*
OR
cpe:/a:ibm:connections:4.0:*:*:*:*:*:*:*
OR
cpe:/a:ibm:connections:5.0:*:*:*:*:*:*:*
Denotes that component is vulnerable
Oval Definitions
Definition ID
Class
Title
Last Modified
oval:com.ubuntu.trusty:def:20155169000
V
CVE-2015-5169 on Ubuntu 14.04 LTS (trusty) - low.
2017-09-25
oval:com.ubuntu.precise:def:20155169000
V
CVE-2015-5169 on Ubuntu 12.04 LTS (precise) - low.
2015-10-09
BACK
apache
struts *
apache
struts 2.0.8
apache
struts 2.0.1
apache
struts 2.0.5
apache
struts 2.0.6
apache
struts 2.0.9
apache
struts 2.0.10
apache
struts 2.0.11
apache
struts 2.0.11.1
apache
struts 2.0.11.2
apache
struts 2.1
apache
struts 2.0.0
apache
struts 2.0.12
apache
struts 2.0.13
apache
struts 2.0.14
apache
struts 2.0.2
apache
struts 2.0.3
apache
struts 2.0.4
apache
struts 2.0.7
apache
struts 2.1.0
apache
struts 2.1.1
apache
struts 2.1.2
apache
struts 2.1.3
apache
struts 2.1.4
apache
struts 2.1.5
apache
struts 2.1.6
apache
struts 2.1.8
apache
struts 2.1.8.1
apache
struts 2.2.1
apache
struts 2.2.1.1
apache
struts 2.2.3
apache
struts 2.3.1
apache
struts 2.3.14.3
apache
struts 2.3.13
apache
struts 2.3.14
apache
struts 2.3.15
apache
struts 2.3.15.3
apache
struts 2.2.3.1
apache
struts 2.3.8
apache
struts 2.3.7
apache
struts 2.3.4.1
apache
struts 2.3.4
apache
struts 2.3.3
apache
struts 2.3.1.2
apache
struts 2.3.1.1
apache
struts 2.3.12
apache
struts 2.3.14.2
apache
struts 2.3.14.1
apache
struts 2.3.15.1
apache
struts 2.3.16
apache
struts 2.3.15.2
apache
struts 2.3.16.1
apache
struts 2.3.16.2
apache
struts 2.3.16.3
ibm
connections 4.5
ibm
connections 3.0.1.1
ibm
connections 4.0
ibm
connections 5.0