PT-2017-19197 · Apache · Apache Struts

Published

2017-09-06

Updated

2019-10-03

CVE-2017-9804

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Apache Struts versions 2.3.7 through 2.3.33 Apache Struts versions 2.5 through 2.5.12

Description The issue allows remote attackers to cause a denial of service by entering a specially crafted URL in a form field, overloading the server process when performing validation of the URL. This is possible when an application allows entering a URL in a form field and the built-in URLValidator is used.

Recommendations For Apache Struts versions 2.3.7 through 2.3.33, update to a version outside of this range to resolve the issue. For Apache Struts versions 2.5 through 2.5.12, update to a version outside of this range to resolve the issue. As a temporary workaround, consider restricting the use of the built-in URLValidator until a patch is available.

Fix

DoS

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2017-9804

GHSA-X5X7-3V85-WPC4

Affected Products

Apache Struts

PT-2017-19197 · Apache · Apache Struts

CVE-2017-9804

Weakness Enumeration

Related Identifiers

Affected Products

References · 14