|Home > Security Bulletins > S2-050|
Who should read this
All Struts 2 developers and users
Impact of vulnerability
Possible DoS attack when using URLValidator
Maximum security rating
Struts 2.3.7 - Struts 2.3.33, Struts 2.5 - Struts 2.5.12
Adam Cazzolla <acazzolla at sonatype dot com>, Jonathan Bullock <jonbullock at gmail dot com>
The previous fix issued with S2-047 was incomplete. If an application allows enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.
Upgrade to Apache Struts version 2.5.13 or 2.3.34.
No backward incompatibility issues are expected.
Instead of using the default RegEx provided by the
UrlValidator you can use the below one: