K12542008: Apache Struts vulnerabilities CVE-2017-9793 and CVE-2017-9804

Security Advisory Description CVE-2017-9793 The REST Plugin in Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12 is using an outdated XStream library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted XML payload. CVE-2017-9804 In Apache Stru...

Apache Struts allows entering a custom URL in a form field if built-in URLValidator is used

In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. NOTE: this...

com.github.a-pz:struts2-thymeleaf3-plugin (>=1.0.3-RELEASE <=1.0.5-RELEASE), com.jgeppert.struts2.bootstrap:struts2-bootstrap-plugin (=2.5.1) +71 more potentially affected by CVE-2017-7672 +1 more via org.apache.struts:struts2-core (>=2.5.1 <=2.5.10.1)

org.apache.struts:struts2-core MAVEN version =2.5.1, =1.0.3-RELEASE, =0.9.4, =2.5.1, =2.5.1, =2.5.1, =2.5.1, =2.5.1, =2.5.1, =2.5.1, =2.5.1, =2.5.1, =2.5.1, =2.5.10.1 - org.apache.struts:struts2-java8-support-plugin =2.5.1 and more Source cves: CVE-2017-7672, CVE-2017-9805 Source advisory:...

Oracle WebLogic Server Multiple Vulnerabilities

Binary data oracleweblogicserverCVE-2017-9805.nbin...

CVE-2017-9804

In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. NOTE: this...

Code injection

In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. NOTE: this...

CVE-2017-9804

In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. NOTE: this...

Regular Expression Denial Of Service (ReDoS)

struts2-core and xwork-core are vulnerable to regular expression denial of service ReDoS attacks. When the URLValidator is used it is possible to overload the server process through an attacker controlled URL. These attacks are as a result of an incomplete fix for CVE-2017-7672...

CVE-2017-9804

In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. NOTE: this...

Apache Struts URLValidator DoS Vulnerability (S2-047) - Linux

Apache Struts is prone to a denial of service DoS vulnerability. This VT has been deprecated and merged into the VT SPDX-FileCopyrightText: 2017 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders...

CVE-2017-7672

If an application allows enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. Solution is to upgrade to Apache Struts version 2.5.12...

CVE-2017-7672

CVE-2017-9805 is an RCE in Apache Struts 2 via the REST plugin using XStreamHandler deserializing XML without type filtering. Impact arises when an XML payload is deserialized, allowing remote code execution. Affected Apache Struts 2 REST plugin versions include 2.3.x before 2.3.34 and 2.5.x befo...

CVE-2017-7672

If an application allows enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. Solution is to upgrade to Apache Struts version 2.5.12...