CVE-2017-7672

CWE-20Improper Input Validation11 documents6 sources
Severity
5.9MEDIUM
EPSS
1.3%
top 19.93%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache StrutsApache Struts
Timeline
PublishedJul 13
Latest updateOct 16

Description

If an application allows enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. Solution is to upgrade to Apache Struts version 2.5.12.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.2 | Impact: 3.6

Affected Packages3 packages

Mavenorg.apache.struts:struts2-core2.5.02.5.12
NVDapache/struts7 versions+6
CVEListV5apache_software_foundation/apache_struts2.3.7 - 2.3.33, 2.5 - 2.5.12, 2.5 to 2.5.10.1+2

🔴Vulnerability Details

4
OSV
Apache Struts Improper Input Validation vulnerability2018-10-16
GHSA
Apache Struts Improper Input Validation vulnerability2018-10-16
GHSA
Apache Struts allows entering a custom URL in a form field if built-in URLValidator is used2018-10-16
CVEList
CVE-2017-7672: If an application allows enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to2017-07-13

📋Vendor Advisories

2
Red Hat
struts: A regular expression Denial of Service when using URLValidator2017-09-05
Red Hat
struts: Denial of service in built-in URLValidator2017-08-11

💬Community

4
Bugzilla
CVE-2017-9804 struts: A regular expression Denial of Service when using URLValidator2017-09-05
Bugzilla
CVE-2017-7672 struts: Denial of service in built-in URLValidator [fedora-all]2017-08-11
Bugzilla
CVE-2017-7672 struts: Denial of service in built-in URLValidator2017-08-11
Bugzilla
CVE-2017-7672 struts: Denial of service in built-in URLValidator [epel-7]2017-08-11
CVE-2017-7672 (MEDIUM CVSS 5.9) | If an application allows enter an U | cvebase.io