Vulnerability Details : CVE-2017-15707
In Apache Struts 2.5 to 2.5.14, the REST Plugin is using an outdated JSON-lib library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted JSON payload.
Vulnerability category: Input validationDenial of service
Products affected by CVE-2017-15707
- cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:weblogic_server:12.2.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:weblogic_server:12.2.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_xstore_point_of_service:6.5.11:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_xstore_point_of_service:7.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:webcenter_portal:12.2.1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_order_broker:5.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:agile_plm_framework:9.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:global_lifecycle_management_opatchauto:*:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:oncommand_balance:-:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-15707
0.23%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 60 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-15707
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
6.2
|
MEDIUM | CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
2.5
|
3.6
|
NIST |
CWE ids for CVE-2017-15707
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-15707
-
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Oracle Critical Patch Update - April 2018Patch
-
http://www.securitytracker.com/id/1039946
Apache Struts REST Plugin JSON Library Bug Lets Remote Users Deny Service - SecurityTrackerThird Party Advisory;VDB Entry
-
http://www.securityfocus.com/bid/102021
Apache Struts CVE-2017-15707 Denial of Service VulnerabilityThird Party Advisory;VDB Entry
-
https://cwiki.apache.org/confluence/display/WW/S2-054
S2-054 - DEPRECATED: Apache Struts 2 Documentation - Apache Software FoundationPatch;Vendor Advisory
-
https://security.netapp.com/advisory/ntap-20171214-0001/
CVE-2017-15707 Apache Struts Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
CPU July 2018Patch
Jump to