CVE-2025-54656

{"id": "CVE-2025-54656", "cveTags": [{"tags": ["unsupported-when-assigned"], "sourceIdentifier": "security@apache.org"}], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 3.9}]}, "published": "2025-07-30T16:15:28.693", "references": [{"url": "https://lists.apache.org/thread/so5cn07j2zn9vlf1xnfqp630wts719rr", "tags": ["Mailing List", "Vendor Advisory"], "source": "security@apache.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-117"}]}], "descriptions": [{"lang": "en", "value": "** UNSUPPORTED WHEN ASSIGNED ** Improper Output Neutralization for Logs vulnerability in Apache Struts.\n\nThis issue affects Apache Struts Extras: before 2.\n\nWhen using LookupDispatchAction, in some cases, Struts may print untrusted input to the logs without any filtering. Specially-crafted input may lead to log output where part of the message masquerades as a separate log line, confusing consumers of the logs (either human or automated).\u00a0\n\nAs this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.\n\nNOTE: This vulnerability only affects products that are no longer supported by the maintainer."}, {"lang": "es", "value": "** NO SOPORTADO CUANDO SE ASIGN\u00d3 ** Vulnerabilidad de neutralizaci\u00f3n de salida incorrecta para registros en Apache Struts. Este problema afecta a Apache Struts Extras: versiones anteriores a la 2. Al usar LookupDispatchAction, en algunos casos, Struts puede imprimir entradas no confiables en los registros sin ning\u00fan filtro. Una entrada especialmente manipulada puede generar una salida de registro donde parte del mensaje se hace pasar por una l\u00ednea de registro independiente, lo que confunde a los usuarios (ya sean humanos o automatizados). Dado que este proyecto est\u00e1 retirado, no planeamos publicar una versi\u00f3n que solucione este problema. Se recomienda a los usuarios buscar una alternativa o restringir el acceso a la instancia a usuarios de confianza. NOTA: Esta vulnerabilidad solo afecta a los productos que ya no reciben soporte del fabricante."}], "lastModified": "2025-08-06T13:52:03.277", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:struts_extras:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B28F17ED-2F73-48A0-BAE8-91B3C9AE1B24", "versionEndExcluding": "2.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}