{
  "threat_severity" : "Moderate",
  "public_date" : "2016-06-07T00:00:00Z",
  "bugzilla" : {
    "description" : "struts: Improper input validation in Validator",
    "id" : "1343540",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1343540"
  },
  "cvss" : {
    "cvss_base_score" : "5.8",
    "cvss_scoring_vector" : "AV:N/AC:M/Au:N/C:N/I:P/A:P",
    "status" : "draft"
  },
  "cwe" : "CWE-20",
  "details" : [ "ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899." ],
  "statement" : "This issue affects the version of struts shipped with Red Hat Enterprise Linux 5, which is currently in Extended Life Phase. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification https://access.redhat.com/security/updates/classification/ and the Red Hat Enterprise Linux Life Cycle https://access.redhat.com/support/policy/updates/errata/.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Will not fix",
    "package_name" : "struts",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Web Server 2",
    "fix_state" : "Not affected",
    "package_name" : "struts",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2"
  }, {
    "product_name" : "Red Hat Satellite 5",
    "fix_state" : "Will not fix",
    "package_name" : "struts",
    "cpe" : "cpe:/a:redhat:network_satellite:5"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2016-1182\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-1182\nhttps://jvn.jp/en/jp/JVN65044642/" ],
  "name" : "CVE-2016-1182",
  "csaw" : false
}