{"id":"CVE-2016-4465","details":"The URLValidator class in Apache Struts 2 2.3.20 through 2.3.28.1 and 2.5.x before 2.5.1 allows remote attackers to cause a denial of service via a null value for a URL field.","aliases":["GHSA-xg75-68x3-7p3q"],"modified":"2026-05-28T04:03:16.106865598Z","published":"2016-07-04T22:59:10.117Z","database_specific":{"unresolved_ranges":[{"source":"CPE_STRING","extracted_events":[{"last_affected":"2.3.20"}],"vendor_product":"apache:struts","cpes":["cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:*"]}]},"references":[{"type":"WEB","url":"http://www.securityfocus.com/bid/91278"},{"type":"ADVISORY","url":"http://jvn.jp/en/jp/JVN12352818/index.html"},{"type":"ADVISORY","url":"http://jvndb.jvn.jp/jvndb/JVNDB-2016-000114"},{"type":"ADVISORY","url":"http://www-01.ibm.com/support/docview.wss?uid=swg21987854"},{"type":"ADVISORY","url":"http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html"},{"type":"ADVISORY","url":"https://struts.apache.org/docs/s2-041.html"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1348253"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/struts","events":[{"introduced":"0"},{"last_affected":"0320310406f6b11cfd235d7a9b866cf1de483a1e"},{"last_affected":"a9974eec5689a7113a6fb1e2096252f0935064dd"},{"last_affected":"bbbf43ec59e7bef3b07e9065dc9784c18a95d58b"},{"last_affected":"925741ad1e8e48c7a6d687fe02d3fdb6386eb64c"},{"last_affected":"7a9863169f7d981be0d2d57437974ae2cc0c8bd3"},{"last_affected":"36b6fff05cd4a17f75b091c0edd52e0c1e65ec06"},{"last_affected":"0ac8932aa3a1b28a8f950863c17165cdc63b1474"},{"last_affected":"2cf0a7efeb12c8f476e31324dc56456b340ddeab"},{"last_affected":"4bee55fee30086c786d09503125a2b1c2ae8dcfa"},{"last_affected":"2a37a2e32db6d6905de48e04f71d995f41055827"},{"last_affected":"56ae397d75430dc63fd68b0bfb36afbac1226023"},{"last_affected":"9a63e6504b2d246573ff1483d45d9b12a49aa9c6"}],"database_specific":{"source":"CPE_STRING","extracted_events":[{"introduced":"0"},{"last_affected":"2.3.20"},{"last_affected":"2.3.20.1"},{"last_affected":"2.3.20.3"},{"last_affected":"2.3.24"},{"last_affected":"2.3.24.1"},{"last_affected":"2.3.24.3"},{"last_affected":"2.3.28"},{"last_affected":"2.3.28.1"},{"last_affected":"2.5"},{"last_affected":"2.5-beta1"},{"last_affected":"2.5-beta2"},{"last_affected":"2.5-beta3"}],"cpe":["cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:*","cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:*","cpe:2.3:a:apache:struts:2.3.20.3:*:*:*:*:*:*:*","cpe:2.3:a:apache:struts:2.3.24:*:*:*:*:*:*:*","cpe:2.3:a:apache:struts:2.3.24.1:*:*:*:*:*:*:*","cpe:2.3:a:apache:struts:2.3.24.3:*:*:*:*:*:*:*","cpe:2.3:a:apache:struts:2.3.28:*:*:*:*:*:*:*","cpe:2.3:a:apache:struts:2.3.28.1:*:*:*:*:*:*:*","cpe:2.3:a:apache:struts:2.5:*:*:*:*:*:*:*","cpe:2.3:a:apache:struts:2.5:beta1:*:*:*:*:*:*","cpe:2.3:a:apache:struts:2.5:beta2:*:*:*:*:*:*","cpe:2.3:a:apache:struts:2.5:beta3:*:*:*:*:*:*"]}}],"versions":["STRUTS_2_5","STRUTS_2_3_24_3","STRUTS_2_3_20_3","STRUTS_2_3_28_1","STRUTS_2_3_28","STRUTS_2_3_24_2","STRUTS_2_3_20_2","STRUTS_2_3_24_1","STRUTS_2_3_20_1","STRUTS_2_3_27","STRUTS_2_3_26","STRUTS_2_3_25","STRUTS_2_5_BETA3","STRUTS_2_5_BETA2","STRUTS_2_3_24","STRUTS_2_5_BETA1","STRUTS_2_3_20"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-4465.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}]}