CVE-2006-1547
Published: 30 March 2006
Summary
CVE-2006-1547 is a high-severity Exposed Dangerous Method or Function (CWE-749) vulnerability in Apache Struts. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 4.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability affects ActionForm in Apache Struts versions prior to 1.2.9 when used with BeanUtils 1.7. A remote attacker can submit a multipart/form-data encoded request containing a parameter name that references the public getMultipartRequestHandler method, granting further access to internal elements of CommonsMultipartRequestHandler and BeanUtils and resulting in a denial of service. The issue is tracked as CVE-2006-1547 with a CVSS 3.1 score of 7.5 reflecting network attack vector, low complexity, and high availability impact.
Unauthenticated attackers with network access can exploit the flaw by crafting form submissions that invoke the exposed method chain, causing the application to fail without requiring user interaction or elevated privileges. This produces an availability-only impact with no confidentiality or integrity consequences.
Advisories referenced in the CVE entry, including Apache Bugzilla 38534, SUSE security announcements, and Secunia reports, document the affected versions and point to the 1.2.9 release as the corrective version.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-3054
Vulnerability details
ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9 with BeanUtils 1.7 allows remote attackers to cause a denial of service via a multipart/form-data encoded form with a parameter name that references the public getMultipartRequestHandler method, which provides further access…
more
to elements in the CommonsMultipartRequestHandler implementation and BeanUtils.
- CWE(s)
- KEV Date Added
- 21 January 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Rejects or sanitizes the malicious multipart parameter name that references the internal getMultipartRequestHandler method before BeanUtils processes it.
Enforces that untrusted form input cannot invoke or expose non-public implementation methods of CommonsMultipartRequestHandler.
Requires prompt application of the Struts 1.2.9 update that removes the exposed method chain in ActionForm.