High severityNVD Advisory· Published Jul 16, 2015· Updated May 6, 2026

CVE-2015-1831

Description

The default exclude patterns (excludeParams) in Apache Struts 2.3.20 allow remote attackers to "compromise internal state of an application" via unspecified vectors.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.struts:struts2-coreMaven	>= 2.0.0, < 2.3.20.1	2.3.20.1
org.apache.struts.xwork:xwork-coreMaven	>= 2.0.0, < 2.3.20.1	2.3.20.1

Affected products

Apache/Struts
cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:*
ghsa-coords2 versions
pkg:maven/org.apache.struts/struts2-core pkg:maven/org.apache.struts.xwork/xwork-core
>= 2.0.0, < 2.3.20.1+ 1 more
- (no CPE)range: >= 2.0.0, < 2.3.20.1
- (no CPE)range: >= 2.0.0, < 2.3.20.1

Patches

d832747d647d

Applies better exclude patterns

https://github.com/apache/strutsLukasz LenartMay 3, 2015via ghsa

commit

5 files changed · +18 −27

core/src/main/resources/struts-default.xml+5 −13 modified

@@ -52,7 +52,7 @@
                 ognl.TypeConverter,
                 com.opensymphony.xwork2.ActionContext" />
     <!-- this must be valid regex, each '.' in package name must be escaped! -->
-    <constant name="struts.excludedPackageNamePatterns" value="^java\.lang\..*,^ognl.*,^javax.*" />
+    <constant name="struts.excludedPackageNamePatterns" value="^java\.lang\..*,^ognl.*,^(?!javax\.servlet\..+)(javax\..+)" />
 
     <bean class="com.opensymphony.xwork2.ObjectFactory" name="struts"/>
     <bean type="com.opensymphony.xwork2.factory.ResultFactory" name="struts" class="org.apache.struts2.factory.StrutsResultFactory" />
@@ -224,9 +224,7 @@
                 <interceptor-ref name="datetime"/>
                 <interceptor-ref name="multiselect"/>
                 <interceptor-ref name="actionMappingParams"/>
-                <interceptor-ref name="params">
-                    <param name="excludeParams">^action:.*,^method:.*</param>
-                </interceptor-ref>
+                <interceptor-ref name="params"/>
                 <interceptor-ref name="conversionError"/>
                 <interceptor-ref name="deprecation"/>
             </interceptor-stack>
@@ -281,19 +279,15 @@
                 <interceptor-ref name="checkbox"/>
                 <interceptor-ref name="datetime"/>
                 <interceptor-ref name="multiselect"/>
-                <interceptor-ref name="params">
-                    <param name="excludeParams">^action:.*,^method:.*</param>
-                </interceptor-ref>
+                <interceptor-ref name="params"/>
                 <interceptor-ref name="servletConfig"/>
                 <interceptor-ref name="prepare"/>
                 <interceptor-ref name="chain"/>
                 <interceptor-ref name="modelDriven"/>
                 <interceptor-ref name="fileUpload"/>
                 <interceptor-ref name="staticParams"/>
                 <interceptor-ref name="actionMappingParams"/>
-                <interceptor-ref name="params">
-                    <param name="excludeParams">^action:.*,^method:.*</param>
-                </interceptor-ref>
+                <interceptor-ref name="params"/>
                 <interceptor-ref name="conversionError"/>
                 <interceptor-ref name="validation">
                     <param name="excludeMethods">input,back,cancel,browse</param>
@@ -329,9 +323,7 @@
                 <interceptor-ref name="multiselect"/>
                 <interceptor-ref name="staticParams"/>
                 <interceptor-ref name="actionMappingParams"/>
-                <interceptor-ref name="params">
-                    <param name="excludeParams">^action:.*,^method:.*</param>
-                </interceptor-ref>
+                <interceptor-ref name="params"/>
                 <interceptor-ref name="conversionError"/>
                 <interceptor-ref name="validation">
                     <param name="excludeMethods">input,back,cancel,browse</param>

core/src/test/java/org/apache/struts2/interceptor/CookieInterceptorTest.java+4 −1 modified

@@ -27,6 +27,7 @@
 
 import javax.servlet.http.Cookie;
 
+import com.opensymphony.xwork2.security.DefaultAcceptedPatternsChecker;
 import com.opensymphony.xwork2.security.DefaultExcludedPatternsChecker;
 import com.opensymphony.xwork2.mock.MockActionInvocation;
 import org.easymock.MockControl;
@@ -370,7 +371,9 @@ protected boolean isAcceptableValue(String value) {
                 return accepted;
             }
         };
-        interceptor.setExcludedPatternsChecker(new DefaultExcludedPatternsChecker());
+        DefaultExcludedPatternsChecker excludedPatternsChecker = new DefaultExcludedPatternsChecker();
+        excludedPatternsChecker.setAdditionalExcludePatterns(".*(^|\\.|\\[|'|\")class(\\.|\\[|'|\").*");
+        interceptor.setExcludedPatternsChecker(excludedPatternsChecker);
         interceptor.setCookiesName("*");
 
         MockActionInvocation invocation = new MockActionInvocation();

xwork-core/src/main/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsChecker.java+2 −10 modified

@@ -16,16 +16,8 @@ public class DefaultExcludedPatternsChecker implements ExcludedPatternsChecker {
     private static final Logger LOG = LoggerFactory.getLogger(DefaultExcludedPatternsChecker.class);
 
     public static final String[] EXCLUDED_PATTERNS = {
-            "(.*\\.|^|.*|\\[('|\"))\\bclass(\\.|('|\")]|\\[).*",
-            "(^|.*#)dojo(\\.|\\[).*",
-            "(^|.*#)struts(\\.|\\[).*",
-            "(^|.*#)session(\\.|\\[).*",
-            "(^|.*#)request(\\.|\\[).*",
-            "(^|.*#)application(\\.|\\[).*",
-            "(^|.*#)servlet(Request|Response)(\\.|\\[).*",
-            "(^|.*#)parameters(\\.|\\[).*",
-            "(^|.*#)context(\\.|\\[).*",
-            "(^|.*#)_memberAccess(\\.|\\[).*"
+        "(^|.*#)(dojo|struts|session|request|application|servlet(Request|Response)|parameters|context|_memberAccess)(\\.|\\[).*",
+        "^(action|method):.*"
     };
 
     private Set<Pattern> excludedPatterns;

xwork-core/src/test/java/com/opensymphony/xwork2/security/DefaultExcludedPatternsCheckerTest.java+5 −2 modified

@@ -53,7 +53,8 @@ public void testHardcodedPatterns() throws Exception {
             }
         };
 
-        ExcludedPatternsChecker checker = new DefaultExcludedPatternsChecker();
+        DefaultExcludedPatternsChecker checker = new DefaultExcludedPatternsChecker();
+        checker.setAdditionalExcludePatterns(".*(^|\\.|\\[|'|\")class(\\.|\\[|'|\").*");
 
         for (String param : params) {
             // when
@@ -71,6 +72,8 @@ public void testParamWithClassInName() throws Exception {
         properParams.add("form.eventClass");
         properParams.add("form[\"eventClass\"]");
         properParams.add("form['eventClass']");
+        properParams.add("class.super@demo.com");
+        properParams.add("super.class@demo.com");
 
         ExcludedPatternsChecker checker = new DefaultExcludedPatternsChecker();
 
@@ -100,4 +103,4 @@ public void testStrutsTokenIsExcluded() throws Exception {
         }
     }
 
-}
\ No newline at end of file
+}

xwork-core/src/test/resources/xwork-param-test.xml+2 −1 modified

@@ -5,4 +5,5 @@
 <xwork>
 	<constant name="devMode" value="true" />
     <constant name="ognlExcludedClasses" value="java.lang.Object,java.lang.Runtime" />
-</xwork>
\ No newline at end of file
+    <constant name="additionalExcludedPatterns" value=".*(^|\.|\[|\'|&quot;)class(\.|\[|\'|&quot;).*" />
+</xwork>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-q2cg-xf9p-h457ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2015-1831ghsaADVISORY
struts.apache.org/docs/s2-024.htmlnvdVendor AdvisoryWEB
github.com/apache/struts/commit/d832747d647df343ed07a58b1b5e540a05a4d51bghsaWEB
www.securityfocus.com/bid/75940nvd
www.securitytracker.com/id/1032985nvd

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.004
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000