Denial of Service Vulnerability in Apache Struts 2 by Apache
CVE-2017-9804
7.5HIGH
Summary
In Apache Struts versions 2.3.7 to 2.3.33 and 2.5 to 2.5.12, an attacker can exploit a vulnerability in URL validation processes. If a web application using Apache Struts incorporates a form field that accepts URL input and relies on the built-in URLValidator, it's vulnerable to crafted input. By supplying specially prepared URLs, an attacker may cause the server to become overloaded during the URL validation process, leading to a denial of service. This vulnerability arose due to an incomplete fix for a prior vulnerability (S2-047), making it essential for users to apply updates promptly.
Affected Version(s)
Apache Struts 2.3.7 - 2.3.33
Apache Struts 2.5 - 2.5.12
References
EPSS Score
12% chance of being exploited in the next 30 days.
CVSS V3.1
Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved