Apache Struts 2 DevMode Enabled

medium Web App Scanning Plugin ID 112370

Language:

Synopsis

Apache Struts 2 DevMode Enabled

Description

Apache Struts 2 installed on the remote host is configured to operate in development mode (devMode). While this environment can help speed up development of web applications, it can leak information about the underlying web applications as well as the installation of Struts, Java, and other related items on the remote host.

Solution

Disable Apache Struts 2 development mode.

See Also

https://struts.apache.org/core-developers/development-mode.html

https://struts.apache.org/getting-started/debugging-struts.html

https://struts.apache.org/security/#disable-devmode

Plugin Details

Severity: Medium

ID: 112370

Type: remote

Family: Component Vulnerability

Published: 9/11/2018

Updated: 3/18/2022

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: Low

Score: 2.2

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS Score Source: Tenable

Vulnerability Information

CPE: cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*

Exploit Available: true

Reference Information

CWE: 16

OWASP: 2010-A6, 2013-A5, 2013-A9, 2017-A6, 2017-A9, 2021-A5, 2021-A6

WASC: Application Misconfiguration

DISA STIG: APSC-DV-002630

HIPAA: 164.306(a)(1), 164.306(a)(2)

ISO: 27001-A.14.2.5

NIST: sp800_53-CM-6b

OWASP API: 2019-API7, 2023-API8

OWASP ASVS: 4.0.2-14.2.1

PCI-DSS: 3.2-6.2