struts2-core-2.3.31.jar: 9 vulnerabilities (highest severity is: 10.0) #10
Labels
security vulnerability
Security vulnerability detected by Mend
Comments
mend-for-github-com
bot
added
the
security vulnerability
1 task
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Apache Struts 2
Path to dependency file: /ksa-web-core/pom.xml
Path to vulnerable library: /NZFHA/downloadResource_WWVQKI/20220622192424/struts2-core-2.3.31.jar
Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e
Vulnerabilities
Details
Vulnerable Library - struts2-core-2.3.31.jar
Apache Struts 2
Path to dependency file: /ksa-web-core/pom.xml
Path to vulnerable library: /NZFHA/downloadResource_WWVQKI/20220622192424/struts2-core-2.3.31.jar
Dependency Hierarchy:
Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e
Found in base branch: master
Vulnerability Details
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.
Publish Date: 2017-03-11
URL: CVE-2017-5638
CVSS 3 Score Details (10.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2017-03-11
Fix Resolution: 2.3.32
⛑️ Automatic Remediation is available for this issue
Vulnerable Library - struts2-core-2.3.31.jar
Apache Struts 2
Path to dependency file: /ksa-web-core/pom.xml
Path to vulnerable library: /NZFHA/downloadResource_WWVQKI/20220622192424/struts2-core-2.3.31.jar
Dependency Hierarchy:
Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e
Found in base branch: master
Vulnerability Details
In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack.
Publish Date: 2017-09-20
URL: CVE-2017-12611
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cwiki.apache.org/confluence/display/WW/S2-053
Release Date: 2017-09-20
Fix Resolution: 2.3.34
⛑️ Automatic Remediation is available for this issue
Vulnerable Library - struts2-core-2.3.31.jar
Apache Struts 2
Path to dependency file: /ksa-web-core/pom.xml
Path to vulnerable library: /NZFHA/downloadResource_WWVQKI/20220622192424/struts2-core-2.3.31.jar
Dependency Hierarchy:
Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e
Found in base branch: master
Vulnerability Details
The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.
Publish Date: 2022-04-12
URL: CVE-2021-31805
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cwiki.apache.org/confluence/display/WW/S2-062
Release Date: 2022-04-12
Fix Resolution: org.apache.struts:struts2-core:2.5.30
⛑️ Automatic Remediation is available for this issue
Vulnerable Library - struts2-core-2.3.31.jar
Apache Struts 2
Path to dependency file: /ksa-web-core/pom.xml
Path to vulnerable library: /NZFHA/downloadResource_WWVQKI/20220622192424/struts2-core-2.3.31.jar
Dependency Hierarchy:
Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e
Found in base branch: master
Vulnerability Details
Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.
Publish Date: 2020-12-11
URL: CVE-2020-17530
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cwiki.apache.org/confluence/display/WW/S2-061
Release Date: 2020-12-11
Fix Resolution: 2.5.26
⛑️ Automatic Remediation is available for this issue
Vulnerable Library - struts2-core-2.3.31.jar
Apache Struts 2
Path to dependency file: /ksa-web-core/pom.xml
Path to vulnerable library: /NZFHA/downloadResource_WWVQKI/20220622192424/struts2-core-2.3.31.jar
Dependency Hierarchy:
Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e
Found in base branch: master
Vulnerability Details
Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
Publish Date: 2020-09-14
URL: CVE-2019-0230
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cwiki.apache.org/confluence/display/ww/s2-059
Release Date: 2020-09-14
Fix Resolution: 2.5.22
⛑️ Automatic Remediation is available for this issue
Vulnerable Library - struts2-core-2.3.31.jar
Apache Struts 2
Path to dependency file: /ksa-web-core/pom.xml
Path to vulnerable library: /NZFHA/downloadResource_WWVQKI/20220622192424/struts2-core-2.3.31.jar
Dependency Hierarchy:
Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e
Found in base branch: master
Vulnerability Details
Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace.
Publish Date: 2018-08-22
URL: CVE-2018-11776
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-11776
Release Date: 2018-08-22
Fix Resolution: 2.3.35
⛑️ Automatic Remediation is available for this issue
Vulnerable Library - struts2-core-2.3.31.jar
Apache Struts 2
Path to dependency file: /ksa-web-core/pom.xml
Path to vulnerable library: /NZFHA/downloadResource_WWVQKI/20220622192424/struts2-core-2.3.31.jar
Dependency Hierarchy:
Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e
Found in base branch: master
Vulnerability Details
When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack. Solution is to upgrade to Apache Struts version 2.5.12 or 2.3.33.
Publish Date: 2017-07-13
URL: CVE-2017-9787
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2017-07-13
Fix Resolution: 2.3.33
⛑️ Automatic Remediation is available for this issue
Vulnerable Library - struts2-core-2.3.31.jar
Apache Struts 2
Path to dependency file: /ksa-web-core/pom.xml
Path to vulnerable library: /NZFHA/downloadResource_WWVQKI/20220622192424/struts2-core-2.3.31.jar
Dependency Hierarchy:
Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e
Found in base branch: master
Vulnerability Details
In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. NOTE: this vulnerability exists because of an incomplete fix for S2-047 / CVE-2017-7672.
Publish Date: 2017-09-20
URL: CVE-2017-9804
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2017-09-20
Fix Resolution: 2.3.34
⛑️ Automatic Remediation is available for this issue
Vulnerable Library - struts2-core-2.3.31.jar
Apache Struts 2
Path to dependency file: /ksa-web-core/pom.xml
Path to vulnerable library: /NZFHA/downloadResource_WWVQKI/20220622192424/struts2-core-2.3.31.jar
Dependency Hierarchy:
Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e
Found in base branch: master
Vulnerability Details
An access permission override in Apache Struts 2.0.0 to 2.5.20 may cause a Denial of Service when performing a file upload.
Publish Date: 2020-09-14
URL: CVE-2019-0233
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cwiki.apache.org/confluence/display/ww/s2-060
Release Date: 2020-09-14
Fix Resolution: 2.5.22
⛑️ Automatic Remediation is available for this issue
⛑️ Automatic Remediation is available for this issue.
The text was updated successfully, but these errors were encountered: