CWE-108: Struts: Unvalidated Action Form
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
Every Action Form must have a corresponding validation form.
扩展描述
If a Struts Action Form Mapping specifies a form, it must have a validation form defined under the Struts Validator.
常见后果
影响范围: Other
技术影响: Other
说明: If an action form mapping does not have a validation form defined, it may be vulnerable to a number of attacks that rely on unchecked input. Unchecked input is the root cause of some of today's worst and most common software security problems. Cross-site scripting, SQL injection, and process control vulnerabilities all stem from incomplete or absent input validation.
影响范围: Confidentiality Integrity Availability Other
技术影响: Other
说明: Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack.
潜在缓解措施
阶段: Implementation
策略: Input Validation
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| 7 Pernicious Kingdoms | - | Struts: Unvalidated Action Form | - |
| Software Fault Patterns | SFP24 | Tainted input to command | - |