The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Struts

vulnerability announce CVE-2018-1327

Apache Struts: denial of service via REST Plugin

Synthesis of the vulnerability

An attacker can generate a fatal error via REST Plugin of Apache Struts, in order to trigger a denial of service.
Impacted products: Struts, Oracle Communications.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: document.
Creation date: 27/03/2018.
Identifiers: CERTFR-2018-AVI-153, cpujul2018, CVE-2018-1327, S2-056, VIGILANCE-VUL-25662.

Description of the vulnerability

An attacker can generate a fatal error via REST Plugin of Apache Struts, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2017-17485 CVE-2017-7525 CVE-2018-5968

Apache Struts: code execution via com.fasterxml.jackson

Synthesis of the vulnerability

An attacker can use a vulnerability (VIGILANCE-VUL-23406) of com.fasterxml.jackson of Apache Struts, in order to run code.
Impacted products: Struts, Debian, Oracle Communications, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle Internet Directory, Tuxedo, Oracle Virtual Directory, WebLogic, Puppet, JBoss EAP by Red Hat.
Severity: 3/4.
Consequences: user access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 3.
Creation date: 12/12/2017.
Identifiers: 5048, CERTFR-2017-AVI-470, cpuapr2018, cpuapr2019, cpujan2019, cpujul2018, cpuoct2018, CVE-2017-17485, CVE-2017-7525, CVE-2018-5968, DSA-4037-1, DSA-4114-1, ibm10715641, ibm10738249, RHSA-2017:3454-01, RHSA-2017:3455-01, RHSA-2017:3456-01, RHSA-2017:3458-01, RHSA-2018:0294-01, RHSA-2018:0478-01, RHSA-2018:0479-01, RHSA-2018:0480-01, RHSA-2018:0481-01, RHSA-2018:1447-01, RHSA-2018:1448-01, RHSA-2018:1449-01, RHSA-2018:1450-01, RHSA-2018:1451-01, RHSA-2018:2930-01, S2-055, VIGILANCE-VUL-24732.

Description of the vulnerability

An attacker can use a vulnerability (VIGILANCE-VUL-23406) of com.fasterxml.jackson of Apache Struts, in order to run code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2017-15707

Apache Struts REST Plugin: denial of service via JSON

Synthesis of the vulnerability

An attacker can generate a fatal error via JSON of Apache Struts REST Plugin, in order to trigger a denial of service.
Impacted products: Struts, Oracle Communications, Oracle Fusion Middleware, Tuxedo, WebLogic.
Severity: 2/4.
Consequences: denial of service on service, denial of service on client.
Provenance: internet client.
Creation date: 01/12/2017.
Identifiers: CERTFR-2017-AVI-445, cpuapr2018, cpujul2018, CVE-2017-15707, S2-054, VIGILANCE-VUL-24605.

Description of the vulnerability

An attacker can generate a fatal error via JSON of Apache Struts REST Plugin, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2017-12611

Apache Struts: code execution via Freemarker

Synthesis of the vulnerability

An attacker can use a vulnerability via Freemarker of Apache Struts, in order to run code.
Impacted products: Struts, Avamar, Unisphere EMC, Oracle Communications, WebLogic.
Severity: 4/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 07/09/2017.
Identifiers: 3889403, 3905487, 504595, 509396, CVE-2017-12611, ESA-2017-121, ESA-2017-128, S2-053, VIGILANCE-VUL-23756.

Description of the vulnerability

An attacker can use a vulnerability via Freemarker of Apache Struts, in order to run code.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2017-9793 CVE-2017-9804

Apache Struts: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Apache Struts.
Impacted products: Struts, Oracle Communications, WebLogic.
Severity: 3/4.
Consequences: user access/rights, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 05/09/2017.
Revision date: 07/09/2017.
Identifiers: 3889403, 3905487, CVE-2017-9793, CVE-2017-9804, S2-050, S2-051, VIGILANCE-VUL-23731.

Description of the vulnerability

Several vulnerabilities were announced in Apache Struts.

An attacker can trigger a fatal error via URLValidator, in order to trigger a denial of service. [severity:3/4; CVE-2017-9804, S2-050]

An attacker can trigger a fatal error via Outdated XStream Library, in order to trigger a denial of service. [severity:3/4; CVE-2017-9793, S2-051]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2017-9805

Apache Struts: code execution via REST XStream

Synthesis of the vulnerability

An attacker can use a vulnerability via REST XStream of Apache Struts, in order to run code.
Impacted products: Struts, Oracle Communications, WebLogic.
Severity: 4/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 07/09/2017.
Identifiers: 3889403, 3905487, CERTFR-2017-AVI-285, CVE-2017-9805, S2-052, VIGILANCE-VUL-23755, VU#112992.

Description of the vulnerability

An attacker can use a vulnerability via REST XStream of Apache Struts, in order to run code.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2017-9787

Apache Struts: denial of service via Spring Secured Actions

Synthesis of the vulnerability

An attacker can generate a fatal error via Spring Secured Actions of Apache Struts, in order to trigger a denial of service.
Impacted products: Struts, Oracle Communications, WebLogic.
Severity: 2/4.
Consequences: denial of service on service, denial of service on client.
Provenance: internet client.
Creation date: 13/07/2017.
Revision date: 10/08/2017.
Identifiers: 3889403, 3905487, CVE-2017-9787, S2-049, VIGILANCE-VUL-23244.

Description of the vulnerability

An attacker can generate a fatal error via Spring Secured Actions of Apache Struts, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2017-9791

Apache Struts 2.3: code execution via Struts 1 Plugin With Raw Message

Synthesis of the vulnerability

An attacker can use a vulnerability via Struts 1 Plugin With Raw Message of Apache Struts 2.3, in order to run code.
Impacted products: Struts, Oracle Communications, WebLogic.
Severity: 3/4.
Consequences: user access/rights.
Provenance: internet client.
Creation date: 10/07/2017.
Revision date: 17/07/2017.
Identifiers: 3889403, 3905487, CVE-2017-9791, S2-048, VIGILANCE-VUL-23168.

Description of the vulnerability

An attacker can use a vulnerability via Struts 1 Plugin With Raw Message of Apache Struts 2.3, in order to run code.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2017-7672

Apache Struts: denial of service via URLValidator

Synthesis of the vulnerability

An attacker can generate a fatal error via URLValidator of Apache Struts, in order to trigger a denial of service.
Impacted products: Struts, Oracle Communications, WebLogic.
Severity: 3/4.
Consequences: denial of service on service, denial of service on client.
Provenance: internet client.
Creation date: 13/07/2017.
Identifiers: 3889403, 3905487, CVE-2017-7672, S2-047, VIGILANCE-VUL-23243.

Description of the vulnerability

An attacker can generate a fatal error via URLValidator of Apache Struts, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2017-5638

Apache Struts: code execution via Jakarta Multipart CD/CL

Synthesis of the vulnerability

An attacker can use a malicious Content-Disposition/Content-Length header on Apache Struts with Jakarta Multipart installed, in order to run code.
Impacted products: Struts, Cisco CUCM, Cisco Unified CCX, Avamar, MariaDB ~ precise, MySQL Community, MySQL Enterprise, Oracle Communications, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle OIT, Tuxedo, WebLogic, Percona Server.
Severity: 4/4.
Consequences: user access/rights.
Provenance: internet client.
Creation date: 20/03/2017.
Identifiers: 498123, CERTFR-2017-ALE-004, cisco-sa-20170310-struts2, cpuapr2017, cpujul2017, CVE-2017-5638, ESA-2017-042, S2-045, S2-046, VIGILANCE-VUL-22190.

Description of the vulnerability

The Apache Struts product can be configured to use the Multipart parser of Jakarta.

The HTTP Content-Type header can contain the multipart/form-data MIME type to indicate form data. In this case, the Multipart parser of Jakarta is called.

When the Multipart parser of Jakarta is used, and when the Content-Disposition or Content-Length header contains a malformed value, an exception occurs, and the header content is interpreted during the display.

An attacker can therefore use a malicious Content-Disposition/Content-Length header on Apache Struts with Jakarta Multipart installed, in order to run code.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Struts: