struts2-core and xwork-core are vulnerable to regular expression denial of service (ReDoS) attacks. When the URLValidator is used it is possible to overload the server process through an attacker controlled URL. These attacks are as a result of an incomplete fix for CVE-2017-7672.
CPE | Name | Operator | Version |
---|---|---|---|
struts 2 core | le | 2.5.12 | |
struts 2 core | le | 2.3.33 | |
xwork: core | le | 2.3.33 |
www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-003.txt
www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html
www.securityfocus.com/bid/100612
www.securitytracker.com/id/1039261
security.netapp.com/advisory/ntap-20180629-0001/
struts.apache.org/docs/s2-050.html
tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2
www.sourceclear.com/registry/security/remote-code-execution-rce-/java/sid-4568/summary