7.5

CVE-2017-9804

In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.  NOTE: this vulnerability exists because of an incomplete fix for S2-047 / CVE-2017-7672.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ApacheStruts Version2.3.7
ApacheStruts Version2.3.8
ApacheStruts Version2.3.9
ApacheStruts Version2.3.10
ApacheStruts Version2.3.11
ApacheStruts Version2.3.12
ApacheStruts Version2.3.13
ApacheStruts Version2.3.14
ApacheStruts Version2.3.14.1
ApacheStruts Version2.3.14.2
ApacheStruts Version2.3.14.3
ApacheStruts Version2.3.15
ApacheStruts Version2.3.15.1
ApacheStruts Version2.3.15.2
ApacheStruts Version2.3.15.3
ApacheStruts Version2.3.16
ApacheStruts Version2.3.16.1
ApacheStruts Version2.3.16.2
ApacheStruts Version2.3.16.3
ApacheStruts Version2.3.17
ApacheStruts Version2.3.19
ApacheStruts Version2.3.20
ApacheStruts Version2.3.20.1
ApacheStruts Version2.3.20.2
ApacheStruts Version2.3.21
ApacheStruts Version2.3.22
ApacheStruts Version2.3.23
ApacheStruts Version2.3.24.2
ApacheStruts Version2.3.24.3
ApacheStruts Version2.3.25
ApacheStruts Version2.3.26
ApacheStruts Version2.3.27
ApacheStruts Version2.3.28
ApacheStruts Version2.3.28.1
ApacheStruts Version2.3.29
ApacheStruts Version2.3.30
ApacheStruts Version2.3.31
ApacheStruts Version2.3.32
ApacheStruts Version2.3.33
ApacheStruts Version2.5
ApacheStruts Version2.5 Updatebeta1
ApacheStruts Version2.5 Updatebeta2
ApacheStruts Version2.5 Updatebeta3
ApacheStruts Version2.5.1
ApacheStruts Version2.5.2
ApacheStruts Version2.5.3
ApacheStruts Version2.5.4
ApacheStruts Version2.5.5
ApacheStruts Version2.5.6
ApacheStruts Version2.5.7
ApacheStruts Version2.5.8
ApacheStruts Version2.5.9
ApacheStruts Version2.5.10
ApacheStruts Version2.5.10.1
ApacheStruts Version2.5.12
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 8.46% 0.943
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:N/I:N/A:P
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html
Patch
Third Party Advisory
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2
Third Party Advisory
http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-003.txt
Third Party Advisory
https://security.netapp.com/advisory/ntap-20180629-0001/
http://www.securityfocus.com/bid/100612
Third Party Advisory
VDB Entry
http://www.securitytracker.com/id/1039261
Third Party Advisory
VDB Entry
https://struts.apache.org/docs/s2-050.html
Patch
Vendor Advisory