Vulnerability-Lookup

CVE-2017-9804 (GCVE-0-2017-9804)

Vulnerability from cvelistv5 – Published: 2017-09-20 17:00 – Updated: 2024-09-17 03:37

Summary

In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. NOTE: this vulnerability exists because of an incomplete fix for S2-047 / CVE-2017-7672.

Severity ?

No CVSS data available.

CWE

A regular expression Denial of Service when using URLValidator (similar to S2-044 & S2-047)

Assigner

apache

References

URL

	Vendor	Product	Version
	Apache Software Foundation	Apache Struts	Affected: 2.3.7 - 2.3.33 Affected: 2.5 - 2.5.12

FKIE_CVE-2017-9804

Vulnerability from fkie_nvd - Published: 2017-09-20 17:29 - Updated: 2025-04-20 01:37

Severity ?

7.5 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
security@apache.org	http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-003.txt	Third Party Advisory
security@apache.org	http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html	Patch, Third Party Advisory
security@apache.org	http://www.securityfocus.com/bid/100612	Third Party Advisory, VDB Entry
security@apache.org	http://www.securitytracker.com/id/1039261	Third Party Advisory, VDB Entry
security@apache.org	https://security.netapp.com/advisory/ntap-20180629-0001/
security@apache.org	https://struts.apache.org/docs/s2-050.html	Patch, Vendor Advisory
security@apache.org	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-003.txt	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/100612	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://www.securitytracker.com/id/1039261	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://security.netapp.com/advisory/ntap-20180629-0001/
af854a3a-2127-422b-91ae-364da2661108	https://struts.apache.org/docs/s2-050.html	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2	Third Party Advisory

Impacted products

Vendor	Product	Version
apache	struts	2.3.7
apache	struts	2.3.8
apache	struts	2.3.9
apache	struts	2.3.10
apache	struts	2.3.11
apache	struts	2.3.12
apache	struts	2.3.13
apache	struts	2.3.14
apache	struts	2.3.14.1
apache	struts	2.3.14.2
apache	struts	2.3.14.3
apache	struts	2.3.15
apache	struts	2.3.15.1
apache	struts	2.3.15.2
apache	struts	2.3.15.3
apache	struts	2.3.16
apache	struts	2.3.16.1
apache	struts	2.3.16.2
apache	struts	2.3.16.3
apache	struts	2.3.17
apache	struts	2.3.19
apache	struts	2.3.20
apache	struts	2.3.20.1
apache	struts	2.3.20.2
apache	struts	2.3.21
apache	struts	2.3.22
apache	struts	2.3.23
apache	struts	2.3.24.2
apache	struts	2.3.24.3
apache	struts	2.3.25
apache	struts	2.3.26
apache	struts	2.3.27
apache	struts	2.3.28
apache	struts	2.3.28.1
apache	struts	2.3.29
apache	struts	2.3.30
apache	struts	2.3.31
apache	struts	2.3.32
apache	struts	2.3.33
apache	struts	2.5
apache	struts	2.5
apache	struts	2.5
apache	struts	2.5
apache	struts	2.5.1
apache	struts	2.5.2
apache	struts	2.5.3
apache	struts	2.5.4
apache	struts	2.5.5
apache	struts	2.5.6
apache	struts	2.5.7
apache	struts	2.5.8
apache	struts	2.5.9
apache	struts	2.5.10
apache	struts	2.5.10.1
apache	struts	2.5.12

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "443B4E64-2A36-49C6-B09D-77B3BDF69709",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "2481505C-4FD1-4195-9E10-9DD741498FB2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.3.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "910DCB81-63A8-4BBB-8897-A98A0F2AEEB4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.3.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "F75F4616-4B4B-4CAB-968B-502179152D2B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.3.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "D3D12A0A-1DC5-47C7-9FF6-E8103C75FE76",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:*",
              "matchCriteriaId": "28ED63DB-2AAF-4BC9-A844-074EDF63C89A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.3.13:*:*:*:*:*:*:*",
              "matchCriteriaId": "C86232DA-90C7-43F8-99CC-C1BFB4BA3F9A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:*",
              "matchCriteriaId": "38A6CEED-6C43-4325-B36C-9F254CCDFDC0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "41F43088-26AA-4890-A9D6-1B9B48D5F02A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "BE6820E3-8FDF-4BDF-8B62-E604A91F1280",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "D25ED06A-F12C-443E-9B3F-FDDF52FE9D93",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:*",
              "matchCriteriaId": "44527919-8403-42A8-9CE1-3B4F58630F34",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "EBB91D8A-14B8-4263-B90D-F776535F9B8F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "FB525941-7175-43C1-9F17-814F5F7C72CA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "F10D559E-04A0-4002-947C-D3902138795B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:*",
              "matchCriteriaId": "89203DD8-2C95-4546-9504-83654FFA5DBC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "EB3D5644-CFAC-4FB5-A1FB-387F97876098",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "1225A0B0-C3F2-4579-BFE9-F8DB2CF596F6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "8DC883A7-0766-4857-ABC8-9DB4BA713650",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.3.17:*:*:*:*:*:*:*",
              "matchCriteriaId": "D3553904-BF3C-4636-947A-8AA16D4F38A5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.3.19:*:*:*:*:*:*:*",
              "matchCriteriaId": "E93CE807-D7C2-4865-ACF8-E366A6478B46",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:*",
              "matchCriteriaId": "22FF6282-0BCA-46EB-9648-6EE3EDA189F2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "6D1467BC-9BC8-402D-A420-615CF9698648",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.3.20.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "12CE716B-867F-49CA-BDAF-194714D990C1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.3.21:*:*:*:*:*:*:*",
              "matchCriteriaId": "CB6057D5-0787-4026-A202-ACD07C862F8D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.3.22:*:*:*:*:*:*:*",
              "matchCriteriaId": "1B3AE8EA-4D25-4151-A210-ECDE802F8A2F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.3.23:*:*:*:*:*:*:*",
              "matchCriteriaId": "79C615AE-4709-47EB-85F8-BD944096428E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.3.24.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "39047809-4E6D-4670-B9BA-D8FD910E38EB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.3.24.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "71823E13-1896-4EE4-A49C-CFFB717FFD80",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.3.25:*:*:*:*:*:*:*",
              "matchCriteriaId": "291F3624-8AB5-46F2-9BB5-F592DF1C9F88",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.3.26:*:*:*:*:*:*:*",
              "matchCriteriaId": "DD053675-DE5E-40A8-B404-4F36AAC82502",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.3.27:*:*:*:*:*:*:*",
              "matchCriteriaId": "B0392E61-6D77-43C3-8009-96BC0F90B8D1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.3.28:*:*:*:*:*:*:*",
              "matchCriteriaId": "C778ADED-75B5-4AD3-8CDC-EFDFFAD5A742",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.3.28.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "067F6249-CC5A-4402-843C-06D5F9F77267",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.3.29:*:*:*:*:*:*:*",
              "matchCriteriaId": "0AFA78DD-B60C-46AD-BCCB-4E15BB16BEDC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.3.30:*:*:*:*:*:*:*",
              "matchCriteriaId": "1DA1EABE-5292-44C2-8327-54201A42F204",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.3.31:*:*:*:*:*:*:*",
              "matchCriteriaId": "F327A6EA-69AF-4EB2-8F17-8011678FAB6D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.3.32:*:*:*:*:*:*:*",
              "matchCriteriaId": "603FAA0C-0908-4105-BE3A-016B4A298264",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.3.33:*:*:*:*:*:*:*",
              "matchCriteriaId": "8E5068CA-A472-47D2-A89F-A43EA8617874",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "63CE1226-E0E6-4DC6-AC89-3FFDE6BD7B77",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.5:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "E17D62B8-349B-4F30-8849-6912828802C3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.5:beta2:*:*:*:*:*:*",
              "matchCriteriaId": "D5E91133-D585-43F7-9093-94D735B3167E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.5:beta3:*:*:*:*:*:*",
              "matchCriteriaId": "DD44FD72-ECE7-4E08-AD9E-5CE2C310C2C8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.5.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "A4F914BA-CF16-4B03-A6A2-8C9816EC1248",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.5.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "D2C82970-62C9-4513-A66D-6BDA4048C27F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.5.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "E1A43CA5-46DE-4513-A309-BE3A60CD5489",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.5.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "1D83D2FA-8931-45F8-82D6-DE270A2BA55C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.5.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "0D284BF2-101C-490C-85CB-69D156D1FF77",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.5.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "5BAD7A75-378F-4A0F-A10F-E4F7AF60F285",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.5.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "56E43496-097F-4560-BFB1-BDDA4659F197",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.5.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "96C720D6-312B-477C-A993-BEE39A7ADB4E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.5.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "03367A87-9011-45F4-B534-DEA26F8D4567",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.5.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "CF635DCE-D495-4166-9E25-1E48DDDF9AAC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.5.10.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "725DBE04-720B-421E-B76A-4EE92FEE171C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:2.5.12:*:*:*:*:*:*:*",
              "matchCriteriaId": "0F36F794-B949-40DB-986A-EDB0E6619100",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.  NOTE: this vulnerability exists because of an incomplete fix for S2-047 / CVE-2017-7672."
    },
    {
      "lang": "es",
      "value": "En Apache Struts desde la versi\u00f3n 2.3.7 hasta la 2.3.33 y desde la 2.5 hasta la 2.5.12, si una aplicaci\u00f3n permite la introducci\u00f3n de una URL en un campo de un formulario y se emplea URLValidator (integrado), es posible preparar una URL especial que ser\u00e1 usada para sobrecargar el proceso del servidor cuando se lleva a cabo la validaci\u00f3n de la URL. NOTA: Esta vulnerabilidad existe debido a una soluci\u00f3n incompleta para S2-047 / CVE-2017-7672."
    }
  ],
  "id": "CVE-2017-9804",
  "lastModified": "2025-04-20T01:37:25.860",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 5.0,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2017-09-20T17:29:00.620",
  "references": [
    {
      "source": "security@apache.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-003.txt"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/100612"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securitytracker.com/id/1039261"
    },
    {
      "source": "security@apache.org",
      "url": "https://security.netapp.com/advisory/ntap-20180629-0001/"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://struts.apache.org/docs/s2-050.html"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-003.txt"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/100612"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securitytracker.com/id/1039261"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://security.netapp.com/advisory/ntap-20180629-0001/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://struts.apache.org/docs/s2-050.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-X5X7-3V85-WPC4

Vulnerability from github – Published: 2018-10-16 19:37 – Updated: 2024-01-04 23:26

Summary

Apache Struts allows entering a custom URL in a form field if built-in URLValidator is used

Details

Severity ?

7.5 (High)


                  
                    CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.3.33"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.struts:struts2-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.7"
            },
            {
              "fixed": "2.3.34"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.5.12"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.struts:struts2-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.5.0"
            },
            {
              "fixed": "2.5.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-9804"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T22:02:20Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.  NOTE: this vulnerability exists because of an incomplete fix for S2-047 / CVE-2017-7672.",
  "id": "GHSA-x5x7-3v85-wpc4",
  "modified": "2024-01-04T23:26:47Z",
  "published": "2018-10-16T19:37:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9804"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/struts/commit/418a20c0594f23764fe29ced400c1219239899a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/struts"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20180629-0001"
    },
    {
      "type": "WEB",
      "url": "https://struts.apache.org/docs/s2-050.html"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20171113165852/http://www.securityfocus.com/bid/100612"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20201021075553/http://www.securitytracker.com/id/1039261"
    },
    {
      "type": "WEB",
      "url": "http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-003.txt"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache Struts allows entering a custom URL in a form field if built-in URLValidator is used"
}

CNVD-2017-31531

Vulnerability from cnvd - Published: 2017-10-26

Title

Apache Struts不完全修复拒绝服务漏洞

Description

Apache Struts是美国阿帕奇（Apache）软件基金会负责维护的一个开源项目，是一套用于创建企业级Java Web应用的开源MVC框架，主要提供两个版本框架产品，Struts 1和Struts 2。Apache Struts 2是Apache Struts的下一代产品，是在Struts 1和WebWork的技术基础上进行了合并的全新Struts 2框架，其体系结构与Struts 1差别较大。 Apache Struts 2.3.7版本至2.3.33版本和2.5版本至2.5.12版本中存在安全漏洞。攻击者可利用该漏洞造成拒绝服务（服务器进程超负荷运行）。

Severity

中

Patch Name

Apache Struts不完全修复拒绝服务漏洞的补丁

Patch Description

Formal description

厂商已发布漏洞修复程序，请及时关注更新： http://struts.apache.org/docs/s2-050.html

Reference

http://securitytracker.com/id/1039261

Impacted products

Name
['Apache struts >=2.3.7，<=2.3.33', 'Apache struts >=2.5，<=2.5.12']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "100612"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-9804"
    }
  },
  "description": "Apache Struts\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u8f6f\u4ef6\u57fa\u91d1\u4f1a\u8d1f\u8d23\u7ef4\u62a4\u7684\u4e00\u4e2a\u5f00\u6e90\u9879\u76ee\uff0c\u662f\u4e00\u5957\u7528\u4e8e\u521b\u5efa\u4f01\u4e1a\u7ea7Java Web\u5e94\u7528\u7684\u5f00\u6e90MVC\u6846\u67b6\uff0c\u4e3b\u8981\u63d0\u4f9b\u4e24\u4e2a\u7248\u672c\u6846\u67b6\u4ea7\u54c1\uff0cStruts 1\u548cStruts 2\u3002Apache Struts 2\u662fApache Struts\u7684\u4e0b\u4e00\u4ee3\u4ea7\u54c1\uff0c\u662f\u5728Struts 1\u548cWebWork\u7684\u6280\u672f\u57fa\u7840\u4e0a\u8fdb\u884c\u4e86\u5408\u5e76\u7684\u5168\u65b0Struts 2\u6846\u67b6\uff0c\u5176\u4f53\u7cfb\u7ed3\u6784\u4e0eStruts 1\u5dee\u522b\u8f83\u5927\u3002\r\n\r\nApache Struts 2.3.7\u7248\u672c\u81f32.3.33\u7248\u672c\u548c2.5\u7248\u672c\u81f32.5.12\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u9020\u6210\u62d2\u7edd\u670d\u52a1\uff08\u670d\u52a1\u5668\u8fdb\u7a0b\u8d85\u8d1f\u8377\u8fd0\u884c\uff09\u3002",
  "discovererName": "Adam Cazzolla , and Jonathan Bullock",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttp://struts.apache.org/docs/s2-050.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-31531",
  "openTime": "2017-10-26",
  "patchDescription": "Apache Struts\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u8f6f\u4ef6\u57fa\u91d1\u4f1a\u8d1f\u8d23\u7ef4\u62a4\u7684\u4e00\u4e2a\u5f00\u6e90\u9879\u76ee\uff0c\u662f\u4e00\u5957\u7528\u4e8e\u521b\u5efa\u4f01\u4e1a\u7ea7Java Web\u5e94\u7528\u7684\u5f00\u6e90MVC\u6846\u67b6\uff0c\u4e3b\u8981\u63d0\u4f9b\u4e24\u4e2a\u7248\u672c\u6846\u67b6\u4ea7\u54c1\uff0cStruts 1\u548cStruts 2\u3002Apache Struts 2\u662fApache Struts\u7684\u4e0b\u4e00\u4ee3\u4ea7\u54c1\uff0c\u662f\u5728Struts 1\u548cWebWork\u7684\u6280\u672f\u57fa\u7840\u4e0a\u8fdb\u884c\u4e86\u5408\u5e76\u7684\u5168\u65b0Struts 2\u6846\u67b6\uff0c\u5176\u4f53\u7cfb\u7ed3\u6784\u4e0eStruts 1\u5dee\u522b\u8f83\u5927\u3002\r\n\r\nApache Struts 2.3.7\u7248\u672c\u81f32.3.33\u7248\u672c\u548c2.5\u7248\u672c\u81f32.5.12\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u9020\u6210\u62d2\u7edd\u670d\u52a1\uff08\u670d\u52a1\u5668\u8fdb\u7a0b\u8d85\u8d1f\u8377\u8fd0\u884c\uff09\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache Struts\u4e0d\u5b8c\u5168\u4fee\u590d\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Apache struts \u003e=2.3.7\uff0c\u003c=2.3.33",
      "Apache struts \u003e=2.5\uff0c\u003c=2.5.12"
    ]
  },
  "referenceLink": "http://securitytracker.com/id/1039261",
  "serverity": "\u4e2d",
  "submitTime": "2017-09-06",
  "title": "Apache Struts\u4e0d\u5b8c\u5168\u4fee\u590d\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e"
}

GSD-2017-9804

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

Aliases

CVE-2017-9804

Aliases

CVE-2017-9804

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2017-9804",
    "description": "In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.  NOTE: this vulnerability exists because of an incomplete fix for S2-047 / CVE-2017-7672.",
    "id": "GSD-2017-9804",
    "references": [
      "https://www.suse.com/security/cve/CVE-2017-9804.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2017-9804"
      ],
      "details": "In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.  NOTE: this vulnerability exists because of an incomplete fix for S2-047 / CVE-2017-7672.",
      "id": "GSD-2017-9804",
      "modified": "2023-12-13T01:21:07.821459Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@apache.org",
        "DATE_PUBLIC": "2017-09-05T00:00:00",
        "ID": "CVE-2017-9804",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Apache Struts",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "2.3.7 - 2.3.33"
                        },
                        {
                          "version_value": "2.5 - 2.5.12"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Apache Software Foundation"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.  NOTE: this vulnerability exists because of an incomplete fix for S2-047 / CVE-2017-7672."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "A regular expression Denial of Service when using URLValidator (similar to S2-044 \u0026 S2-047)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html",
            "refsource": "CONFIRM",
            "url": "http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html"
          },
          {
            "name": "20170907 Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products: September 2017",
            "refsource": "CISCO",
            "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2"
          },
          {
            "name": "100612",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/100612"
          },
          {
            "name": "https://security.netapp.com/advisory/ntap-20180629-0001/",
            "refsource": "CONFIRM",
            "url": "https://security.netapp.com/advisory/ntap-20180629-0001/"
          },
          {
            "name": "http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-003.txt",
            "refsource": "CONFIRM",
            "url": "http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-003.txt"
          },
          {
            "name": "1039261",
            "refsource": "SECTRACK",
            "url": "http://www.securitytracker.com/id/1039261"
          },
          {
            "name": "https://struts.apache.org/docs/s2-050.html",
            "refsource": "CONFIRM",
            "url": "https://struts.apache.org/docs/s2-050.html"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "[2.3.7,2.3.14.3],[2.3.15,2.3.15.3],[2.3.16,2.3.16.3],[2.3.17], [2.3.19,2.3.20.2],[2.3.21,2.3.23],[2.3.24.2,2.3.24.3],[2.3.25,2.3.28.1], [2.3.29,2.3.33],[2.5,2.5.10.1],[2.5.12]",
          "affected_versions": "All versions starting from 2.3.7 up to 2.3.14.3, all versions starting from 2.3.15 up to 2.3.15.3, all versions starting from 2.3.16 up to 2.3.16.3, version 2.3.17, all versions starting from 2.3.19 up to 2.3.20.2, all versions starting from 2.3.21 up to 2.3.23, all versions starting from 2.3.24.2 up to 2.3.24.3, all versions starting from 2.3.25 up to 2.3.28.1, all versions starting from 2.3.29 up to 2.3.33, all versions starting from 2.5 up to 2.5.10.1, version 2.5.12",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-20",
            "CWE-937"
          ],
          "date": "2019-10-03",
          "description": "If an application allows entering a URL in a form field and built-in `URLValidator` is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.",
          "fixed_versions": [
            "2.3.20.3",
            "2.3.24",
            "2.3.34",
            "2.5.13"
          ],
          "identifier": "CVE-2017-9804",
          "identifiers": [
            "CVE-2017-9804"
          ],
          "not_impacted": "All versions before 2.3.7, all versions after 2.3.14.3 before 2.3.15, all versions after 2.3.15.3 before 2.3.16, all versions after 2.3.16.3 before 2.3.17, all versions after 2.3.17 before 2.3.19, all versions after 2.3.20.2 before 2.3.21, all versions after 2.3.23 before 2.3.24.2, all versions after 2.3.24.3 before 2.3.25, all versions after 2.3.28.1 before 2.3.29, all versions after 2.3.33 before 2.5, all versions after 2.5.10.1 before 2.5.12, all versions after 2.5.12",
          "package_slug": "maven/org.apache.struts/struts2-core",
          "pubdate": "2017-09-20",
          "solution": "Upgrade to versions 2.3.20.3, 2.3.24, 2.3.34, 2.5.13 or above.",
          "title": "Improper Input Validation",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2017-9804",
            "http://www.securityfocus.com/bid/100612",
            "http://www.securitytracker.com/id/1039261",
            "https://struts.apache.org/docs/s2-050.html"
          ],
          "uuid": "f2025ae1-babd-47a8-857f-681ba395f798"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.5.12:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.3.21:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.3.22:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.3.28.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.3.29:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.5:beta2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.5:beta3:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.5.7:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.5.8:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.3.10:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.3.11:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.3.19:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.3.25:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.3.26:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.3.32:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.3.33:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.5.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.5.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.3.9:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.3.17:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.3.23:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.3.24.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.3.24.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.3.30:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.3.31:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.5.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.5.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.5.9:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.5.10:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.5.10.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.3.13:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.3.20.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.3.27:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.3.28:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.5:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.5:beta1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.5.5:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:struts:2.5.6:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2017-9804"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.  NOTE: this vulnerability exists because of an incomplete fix for S2-047 / CVE-2017-7672."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-20"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://struts.apache.org/docs/s2-050.html",
              "refsource": "CONFIRM",
              "tags": [
                "Patch",
                "Vendor Advisory"
              ],
              "url": "https://struts.apache.org/docs/s2-050.html"
            },
            {
              "name": "20170907 Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products: September 2017",
              "refsource": "CISCO",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2"
            },
            {
              "name": "1039261",
              "refsource": "SECTRACK",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securitytracker.com/id/1039261"
            },
            {
              "name": "100612",
              "refsource": "BID",
              "tags": [
                "VDB Entry",
                "Third Party Advisory"
              ],
              "url": "http://www.securityfocus.com/bid/100612"
            },
            {
              "name": "http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-003.txt",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-003.txt"
            },
            {
              "name": "http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html",
              "refsource": "CONFIRM",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20180629-0001/",
              "refsource": "CONFIRM",
              "tags": [],
              "url": "https://security.netapp.com/advisory/ntap-20180629-0001/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2019-10-03T00:03Z",
      "publishedDate": "2017-09-20T17:29Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2017-9804 (GCVE-0-2017-9804)

FKIE_CVE-2017-9804

GHSA-X5X7-3V85-WPC4

CNVD-2017-31531

GSD-2017-9804

Tags

Sightings

Nomenclature