CWE-109: Struts: Validator Turned Off
Automatic filtering via a Struts bean has been turned off, which disables the Struts Validator and custom validation logic. This exposes the application to other weaknesses related to insufficient input validation.
Last updated
Overview
CWE-109 (Struts: Validator Turned Off) is a variant-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Common consequences
What can happen when CWE-109 is exploited.
Bypass Protection Mechanism
Affects: Access Control
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Languages
How to prevent it
Practical mitigations for CWE-109, grouped by where in the lifecycle they apply.
Ensure that an action form mapping enables validation. Set the validate field to true.
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
This mapping defines an action for a download form:
Vulnerable example
<action path="/download"This mapping has disabled validation. Disabling validation exposes this action to numerous types of attacks.
Terminology & mappings
Mapped taxonomies
- 7 Pernicious Kingdoms: Struts: Validator Turned Off
- Software Fault Patterns: Tainted input to command (SFP24)
Frequently asked questions
Common questions about CWE-109.
- What is CWE-109?
- Automatic filtering via a Struts bean has been turned off, which disables the Struts Validator and custom validation logic. This exposes the application to other weaknesses related to insufficient input validation.
- How do you prevent CWE-109?
- Ensure that an action form mapping enables validation. Set the validate field to true.
- What are the consequences of CWE-109?
- Exploiting CWE-109 can lead to: Bypass Protection Mechanism.
References
- MITRE CWE definition (CWE-109) (opens in a new tab)
- CWE-109 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-109
Get alerted the moment a new CWE-109 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.