CVE-2017-9804

CWE-20 — Improper Input Validation CWE-3997 documents7 sources

Severity

7.5HIGH

EPSS

4.6%

top 10.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Struts Apache Struts

Timeline

PublishedSep 20

Latest updateOct 16

Description

In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. NOTE: this vulnerability exists because of an incomplete fix for S2-047 / CVE-2017-7672.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶Mavenorg.apache.struts:struts2-core2.3.7 — 2.3.34+1

▶NVDapache/struts52 versions+51

▶CVEListV5apache_software_foundation/apache_struts2.3.7 - 2.3.33, 2.5 - 2.5.12+1

Patches

Patch: www.oracle.com ↗Patch: struts.apache.org ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

Apache Struts allows entering a custom URL in a form field if built-in URLValidator is used↗2018-10-16

▶

GHSA

Apache Struts allows entering a custom URL in a form field if built-in URLValidator is used↗2018-10-16

▶

CVEList

CVE-2017-9804: In Apache Struts 2↗2017-09-20

▶

📋Vendor Advisories

Cisco

Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products: September 2017↗2017-09-07

▶

Red Hat

struts: A regular expression Denial of Service when using URLValidator↗2017-09-05

▶

💬Community

Bugzilla

CVE-2017-9804 struts: A regular expression Denial of Service when using URLValidator↗2017-09-05

▶