Cyber Resilience

CVE-2006-1547

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 30 March 2006

Published
30 March 2006
Modified
16 April 2026
KEV Added
21 January 2022
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.2219 95.9th percentile
Risk Priority 48 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2006-1547 is a high-severity Exposed Dangerous Method or Function (CWE-749) vulnerability in Apache Struts. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 4.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability affects ActionForm in Apache Struts versions prior to 1.2.9 when used with BeanUtils 1.7. A remote attacker can submit a multipart/form-data encoded request containing a parameter name that references the public getMultipartRequestHandler method, granting further access to internal elements of CommonsMultipartRequestHandler and BeanUtils and resulting in a denial of service. The issue is tracked as CVE-2006-1547 with a CVSS 3.1 score of 7.5 reflecting network attack vector, low complexity, and high availability impact.

Unauthenticated attackers with network access can exploit the flaw by crafting form submissions that invoke the exposed method chain, causing the application to fail without requiring user interaction or elevated privileges. This produces an availability-only impact with no confidentiality or integrity consequences.

Advisories referenced in the CVE entry, including Apache Bugzilla 38534, SUSE security announcements, and Secunia reports, document the affected versions and point to the 1.2.9 release as the corrective version.

EU & UK References

Vulnerability details

ActionForm in Apache Software Foundation (ASF) Struts before 1.2.9 with BeanUtils 1.7 allows remote attackers to cause a denial of service via a multipart/form-data encoded form with a parameter name that references the public getMultipartRequestHandler method, which provides further access…

more

to elements in the CommonsMultipartRequestHandler implementation and BeanUtils.

CWE(s)
KEV Date Added
21 January 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
struts
≤ 1.2.9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Rejects or sanitizes the malicious multipart parameter name that references the internal getMultipartRequestHandler method before BeanUtils processes it.

prevent

Enforces that untrusted form input cannot invoke or expose non-public implementation methods of CommonsMultipartRequestHandler.

prevent

Requires prompt application of the Struts 1.2.9 update that removes the exposed method chain in ActionForm.

References