Remote Code Execution Vulnerability in Apache Struts by Apache
CVE-2017-7672

5.9MEDIUM

Key Information:

Vendor
Apache
Status
Apache Struts
Vendor
CVE Published:
13 July 2017

Summary

A vulnerability exists in Apache Struts when the application permits users to input URLs via form fields without adequate validation. When the built-in URLValidator is engaged, it can lead to the processing of a specially crafted URL that may overload the server during the validation process. To mitigate this risk, users are advised to upgrade to Apache Struts version 2.5.12, which addresses this critical issue.

Affected Version(s)

Apache Struts 2.5 to 2.5.10.1

References

http://www.oracle.com/technetwork/security-advisory/alert...
x_refsource_CONFIRM
http://www.securityfocus.com/bid/99563
vdb-entryx_refsource_BID
http://struts.apache.org/docs/s2-047.html
x_refsource_CONFIRM

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.