CVE-2017-15707

CWE-20 — Improper Input Validation6 documents6 sources

Severity

6.2MEDIUM

EPSS

1.5%

top 18.67%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Struts Apache Software Foundation Apache Struts Oracle Agile PLM Framework +8 more

Timeline

PublishedDec 1

Latest updateOct 16

Description

In Apache Struts 2.5 to 2.5.14, the REST Plugin is using an outdated JSON-lib library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted JSON payload.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.5 | Impact: 3.6

Affected Packages12 packages

▶Mavenorg.apache.struts:struts2-rest-plugin2.5.0 — 2.5.16

▶NVDapache/struts2.5 — 2.5.14

▶CVEListV5apache_software_foundation/apache_struts2.5 to 2.5.14

▶NVDoracle/weblogic_server12.2.1.2, 12.2.1.3+1

▶NVDoracle/webcenter_portal12.2.1.2.0, 12.2.1.3.0+1

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗Patch: cwiki.apache.org ↗

🔴Vulnerability Details

GHSA

Moderate severity vulnerability that affects org.apache.struts:struts2-rest-plugin↗2018-10-16

▶

OSV

Moderate severity vulnerability that affects org.apache.struts:struts2-rest-plugin↗2018-10-16

▶

CVEList

CVE-2017-15707: In Apache Struts 2↗2017-12-01

▶

📋Vendor Advisories

Red Hat

struts2: Crafted JSON request can result in DoS↗2017-12-01

▶

💬Community

Bugzilla

CVE-2017-15707 struts2: Crafted JSON request can result in DoS↗2017-12-06

▶