9.8

CVE-2017-9791

Warnung
The Struts 1 plugin in Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ApacheStruts Version2.3.1
ApacheStruts Version2.3.1.1
ApacheStruts Version2.3.1.2
ApacheStruts Version2.3.3
ApacheStruts Version2.3.4
ApacheStruts Version2.3.4.1
ApacheStruts Version2.3.7
ApacheStruts Version2.3.8
ApacheStruts Version2.3.12
ApacheStruts Version2.3.14
ApacheStruts Version2.3.14.1
ApacheStruts Version2.3.14.2
ApacheStruts Version2.3.14.3
ApacheStruts Version2.3.15
ApacheStruts Version2.3.15.1
ApacheStruts Version2.3.15.2
ApacheStruts Version2.3.15.3
ApacheStruts Version2.3.16
ApacheStruts Version2.3.16.1
ApacheStruts Version2.3.16.2
ApacheStruts Version2.3.16.3
ApacheStruts Version2.3.20
ApacheStruts Version2.3.20.1
ApacheStruts Version2.3.20.3
ApacheStruts Version2.3.24
ApacheStruts Version2.3.24.1
ApacheStruts Version2.3.24.3
ApacheStruts Version2.3.28
ApacheStruts Version2.3.28.1
ApacheStruts Version2.3.29
ApacheStruts Version2.3.30
ApacheStruts Version2.3.31
ApacheStruts Version2.3.32

10.02.2022: CISA Known Exploited Vulnerabilities (KEV) Catalog

Apache Struts 1 Improper Input Validation Vulnerability

Schwachstelle

The Struts 1 plugin in Apache Struts might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.

Beschreibung

Apply updates per vendor instructions.

Erforderliche Maßnahmen
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 98.93% 0.999
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://struts.apache.org/docs/s2-048.html
Vendor Advisory
Mitigation
http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html
Patch
Third Party Advisory
http://www.securityfocus.com/bid/99484
Third Party Advisory
Broken Link
VDB Entry
http://www.securitytracker.com/id/1038838
Third Party Advisory
Broken Link
VDB Entry
https://security.netapp.com/advisory/ntap-20180706-0002/
Third Party Advisory
https://www.exploit-db.com/exploits/42324/
Third Party Advisory
VDB Entry
https://www.exploit-db.com/exploits/44643/
Third Party Advisory
VDB Entry
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-9791
US Government Resource