Vulnerability Details : CVE-2017-9804
In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. NOTE: this vulnerability exists because of an incomplete fix for S2-047 / CVE-2017-7672.
Vulnerability category: Input validation
Exploit prediction scoring system (EPSS) score for CVE-2017-9804
Probability of exploitation activity in the next 30 days: 2.40%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 90 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2017-9804
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST |
|
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2017-9804
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-9804
-
https://struts.apache.org/docs/s2-050.html
S2-050 - DEPRECATED: Apache Struts 2 Documentation - Apache Software FoundationPatch;Vendor Advisory
-
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2
Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products: September 2017Third Party Advisory
-
http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html
Oracle Security Alert CVE-2017-9805Patch;Third Party Advisory
-
http://www.securitytracker.com/id/1039261
Apache Struts Regex Processing Flaw in URLValidator Lets Remote Users Consume Excessive CPU Resources on the Target System - SecurityTrackerThird Party Advisory;VDB Entry
-
https://security.netapp.com/advisory/ntap-20180629-0001/
September 2017 Apache Struts Vulnerabilities in NetApp Products | NetApp Product Security
-
http://www.securityfocus.com/bid/100612
Apache Struts CVE-2017-9804 Incomplete Fix Denial of Service VulnerabilityVDB Entry;Third Party Advisory
-
http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-003.txt
Third Party Advisory
Products affected by CVE-2017-9804
- cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.11:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.13:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.20.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.21:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.9:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.10:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.17:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.19:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.22:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.23:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.28:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.24.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.5:beta1:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.5:beta2:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.5:beta3:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.28.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.25:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.26:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.27:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.29:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.30:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.24.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.31:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.32:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.33:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.5.9:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.5.8:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.5.10:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.5.10.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.5.12:*:*:*:*:*:*:*