CVE-2017-9804

Name of the Vulnerable Software and Affected Versions Apache Struts versions 2.3.7 through 2.3.33 Apache Struts versions 2.5 through 2.5.12

Description The issue allows remote attackers to cause a denial of service by entering a specially crafted URL in a form field, overloading the server process when performing validation of the URL. This is possible when an application allows entering a URL in a form field and the built-in URLValidator is used.

Recommendations For Apache Struts versions 2.3.7 through 2.3.33, update to a version outside of this range to resolve the issue. For Apache Struts versions 2.5 through 2.5.12, update to a version outside of this range to resolve the issue. As a temporary workaround, consider restricting the use of the built-in URLValidator until a patch is available.