CVE-2017-9793

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2017-9793
The REST Plugin in Apache Struts 2.1.x, 2.3.7 through 2.3.33 and 2.5 through 2.5.12 is using an outdated XStream library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted XML payload.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

5.0 /10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:N/I:N/A:P

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References
Link Resource
http://www.brocade.com/content/dam/common/documents/content-types/security-bulletin/brocade-security-advisory-2017-429.htm Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html Patch Third Party Advisory
http://www.securityfocus.com/bid/100611 Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1039262 Third Party Advisory VDB Entry
https://security.netapp.com/advisory/ntap-20180629-0001/
https://struts.apache.org/docs/s2-051.html Patch Vendor Advisory
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2 Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.9:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.10:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.11:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.13:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.17:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.19:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.20.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.21:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.22:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.23:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.24.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.24.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.25:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.26:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.27:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.28:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.28.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.29:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.30:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.31:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.32:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.33:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.5:beta1:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.5:beta2:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.5:beta3:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.5.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.5.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.5.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.5.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.5.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.5.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.5.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.5.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.5.9:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.5.10:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.5.10.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.5.12:*:*:*:*:*:*:*
History

No history.

Information

Published : 2017-09-20 17:29

Updated : 2024-02-04 19:29

NVD link : CVE-2017-9793

Mitre link : CVE-2017-9793

CVE.ORG link : CVE-2017-9793

JSON object : View

Products Affected

apache

  • struts
CWE
CWE-20

Improper Input Validation