Page 5 of 85 results (0.005 seconds)

CVSS: 7.5EPSS: 93%CPEs: 55EXPL: 0

The REST Plugin in Apache Struts 2.1.x, 2.3.7 through 2.3.33 and 2.5 through 2.5.12 is using an outdated XStream library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted XML payload. El Plugin REST en Apache Struts versiones 2.1.x, versiones 2.3.7 hasta 2.3.33 y versiones 2.5 hasta 2.5.12, está usando una biblioteca XStream obsoleta que es vulnerable y permite realizar un ataque de DoS usando una petición maliciosa con una carga útil XML especialmente diseñada. • http://www.brocade.com/content/dam/common/documents/content-types/security-bulletin/brocade-security-advisory-2017-429.htm http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html http://www.securityfocus.com/bid/100611 http://www.securitytracker.com/id/1039262 https://security.netapp.com/advisory/ntap-20180629-0001 https://struts.apache.org/docs/s2-051.html https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2 • CWE-20: Improper Input Validation •

CVSS: 8.1EPSS: 97%CPEs: 58EXPL: 10

The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads. El Plugin REST en Apache Struts versiones 2.1.1 hasta 2.3.x anteriores a 2.3.34 y versiones 2.5.x anteriores a 2.5.13, usa una XStreamHandler con una instancia de XStream para deserialización sin ningún filtrado de tipos, lo que puede conllevar a una ejecución de código remota cuando se deserializan cargas XML. Apache Struts versions 2.5 through 2.5.12 using the REST plugin are vulnerable to a Java deserialization attack in the XStream library. Apache Struts REST Plugin uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to remote code execution when deserializing XML payloads. • https://www.exploit-db.com/exploits/42627 https://github.com/0x00-0x00/-CVE-2017-9805 https://github.com/Shakun8/CVE-2017-9805 https://github.com/0xd3vil/CVE-2017-9805-Exploit https://github.com/jongmartinez/-CVE-2017-9805- https://github.com/z3bd/CVE-2017-9805 https://github.com/wifido/CVE-2017-9805-Exploit https://github.com/AvishkaSenadheera/CVE-2017-9805---Documentation---IT19143378 https://github.com/UbuntuStrike/struts_rest_rce_fuzz-CVE-2017-9805- https: • CWE-502: Deserialization of Untrusted Data •

CVSS: 7.5EPSS: 0%CPEs: 66EXPL: 0

Apache Struts 2.x before 2.3.24.1 allows remote attackers to manipulate Struts internals, alter user sessions, or affect container settings via vectors involving a top object. Apache Struts en versiones 2.x anteriores a la 2.3.24.1 permite que los atacantes remotos manipulen estados internos de Struts o alteren la configuración del contenedor mediante vectores que involucren un objeto de la cima. • http://www.securityfocus.com/bid/82550 http://www.securitytracker.com/id/1033908 https://security.netapp.com/advisory/ntap-20180629-0002 https://struts.apache.org/docs/s2-026.html • CWE-20: Improper Input Validation •

CVSS: 7.5EPSS: 3%CPEs: 53EXPL: 0

When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack. Solution is to upgrade to Apache Struts version 2.5.12 or 2.3.33. Cuando se utiliza una funcionalidad de Programación Orientada a Aspectos (POA) Spring para hacer las acciones Struts seguras, es posible realizar un ataque de DoS. La solución es actualizar a la versión 2.5.12 o 2.3.33 de Apache Struts. • http://struts.apache.org/docs/s2-049.html http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html http://www.securityfocus.com/bid/99562 http://www.securitytracker.com/id/1039115 https://lists.apache.org/thread.html/3795c4dd46d9ec75f4a6eb9eca11c11edd3e796c6c1fd7b17b5dc50d%40%3Cannouncements.struts.apache.org%3E https://lists.apache.org/thread.html/de3d325f0433cd3b42258b6a302c0d7a72b69eedc1480ed561d3b065%40%3Cannouncements.struts.apache.org%3E https://security.netapp.com/advisory/ntap-20180706-0002 •

CVSS: 5.9EPSS: 3%CPEs: 7EXPL: 0

If an application allows enter an URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. Solution is to upgrade to Apache Struts version 2.5.12. Si una aplicación permite la introducción de una URL en un campo de un formulario y se emplea URLValidator (integrado), es posible preparar una URL especial que será utilizada para sobrecargar el proceso del servidor cuando se lleva a cabo la validación de la URL. La solución es actualizar a la versión 2.5.12 de Apache Struts. • http://struts.apache.org/docs/s2-047.html http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html http://www.securityfocus.com/bid/99563 http://www.securitytracker.com/id/1039114 https://lists.apache.org/thread.html/3795c4dd46d9ec75f4a6eb9eca11c11edd3e796c6c1fd7b17b5dc50d%40%3Cannouncements.struts.apache.org%3E https://security.netapp.com/advisory/ntap-20180706-0002 • CWE-20: Improper Input Validation •