Denial of Service Vulnerability in Apache Struts 2 by Apache
CVE-2017-9804

7.5HIGH

Key Information:

Vendor
Apache
Status
Apache Struts
Vendor
CVE Published:
20 September 2017

Summary

In Apache Struts versions 2.3.7 to 2.3.33 and 2.5 to 2.5.12, an attacker can exploit a vulnerability in URL validation processes. If a web application using Apache Struts incorporates a form field that accepts URL input and relies on the built-in URLValidator, it's vulnerable to crafted input. By supplying specially prepared URLs, an attacker may cause the server to become overloaded during the URL validation process, leading to a denial of service. This vulnerability arose due to an incomplete fix for a prior vulnerability (S2-047), making it essential for users to apply updates promptly.

Affected Version(s)

Apache Struts 2.3.7 - 2.3.33

Apache Struts 2.5 - 2.5.12

References

http://www.oracle.com/technetwork/security-advisory/alert...
x_refsource_CONFIRM
https://tools.cisco.com/security/center/content/CiscoSecu...
vendor-advisoryx_refsource_CISCO
http://www.securityfocus.com/bid/100612
vdb-entryx_refsource_BID

EPSS Score

12% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.