QwikSec

Security Database

CVE

CWE

Training

CVE-2017-9804

Published: Sep 20, 2017

Modified: Sep 17, 2024

PUBLISHED

Description

In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. NOTE: this vulnerability exists because of an incomplete fix for S2-047 / CVE-2017-7672.

Vendor	Product	Versions
Apache Software Foundation	Apache Struts	affected `2.3.7 - 2.3.33` affected `2.5 - 2.5.12`

References

http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html

x_refsource_CONFIRM

20170907 Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products: September 2017

vendor-advisory

x_refsource_CISCO

vdb-entry

x_refsource_BID

https://security.netapp.com/advisory/ntap-20180629-0001/

x_refsource_CONFIRM

http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-003.txt

x_refsource_CONFIRM

vdb-entry

x_refsource_SECTRACK

https://struts.apache.org/docs/s2-050.html

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.