Apache Struts Extras Improper Output Neutralization for Logs Vulnerability

Vulnerability

A vulnerability has been identified in Apache Struts Extras versions prior to 2, involving improper output neutralization for logs. This issue arises when the LookupDispatchAction is used, as Struts may inadvertently log untrusted input without proper filtering. Such specially-crafted input can disrupt log interpretation by masquerading part of the message as a separate log entry, potentially confusing human or automated log consumers. As this project is retired, no fix will be released, and users are advised to seek alternatives or limit access to trusted users.

Impact

Exploitation of this vulnerability can lead to log injection, where untrusted input is logged in a way that confuses log consumers, either human or automated.

Added: Jul 30, 2025, 4:25 PM

Updated: Jul 30, 2025, 6:26 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

7.4

remediation

0.0

relevance

0.3

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

7.4

remediation

0.0

relevance

0.3

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache Struts Extras Improper Output Neutralization for Logs Vulnerability

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating