Vulnerability CVE-2017-15707


Published: 2017-12-01

Description:
In Apache Struts 2.5 to 2.5.14, the REST Plugin is using an outdated JSON-lib library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted JSON payload.

Type:

CWE-20

(Improper Input Validation)

Vendor: Oracle
Product: Agile plm framework 
Version: 9.3.6;
Product: Jd edwards enterpriseone tools 
Version: 9.2;
Product: Financial services hedge management and ifrs valuations 
Version: 8.0.5; 8.0.4;
Product: Financial services market risk measurement and management 
Version: 8.0.5;
Product: Retail xstore point of service 
Version:
7.1.6
7.0.6
6.5.11
16.0.2
15.0.1
Product: Retail order broker 
Version: 5.2;
Product: Enterprise manager for virtualization 
Version: 13.2.3; 13.2.2;
Product: Webcenter portal 
Version: 12.2.1.3.0; 12.2.1.2.0;
Product: Weblogic server 
Version: 12.2.1.3; 12.2.1.2;
Product: Global lifecycle management opatchauto 
Vendor: Apache
Product: Struts 
Version:
2.5.9
2.5.8
2.5.7
2.5.6
2.5.5
2.5.4
2.5.3
2.5.2
2.5.14
2.5.13
2.5.11
2.5.10
2.5.1
2.5
Vendor: Netapp
Product: Oncommand balance 

CVSS2 => (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
None
None
Partial

 References:
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
http://www.securityfocus.com/bid/102021
http://www.securitytracker.com/id/1039946
https://cwiki.apache.org/confluence/display/WW/S2-054
https://security.netapp.com/advisory/ntap-20171214-0001/

Related CVE
CVE-2019-8936
NTP through 4.2.8p12 has a NULL Pointer Dereference.
CVE-2019-5492
Element Plug-in for vCenter Server versions prior to 4.2.3 may disclose sensitive account information to an unauthenticated attacker. NetApp HCI Compute Node versions prior to 1.4P2 bundle affected versions of Element Plug-in for vCenter Server.
CVE-2019-11035
When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.28, 7.2.x below 7.2.17 and 7.3.x below 7.3.4 can be caused to read past allocated buffer in exif_iif_add_value function. This may lead to information disclosure or crash.
CVE-2019-11034
When processing certain files, PHP EXIF extension in versions 7.1.x below 7.1.28, 7.2.x below 7.2.17 and 7.3.x below 7.3.4 can be caused to read past allocated buffer in exif_process_IFD_TAG function. This may lead to information disclosure or crash.
CVE-2018-20449
The hidma_chan_stats function in drivers/dma/qcom/hidma_dbg.c in the Linux kernel 4.14.90 allows local users to obtain sensitive address information by reading "callback=" lines in a debugfs file.
CVE-2019-9946
Cloud Native Computing Foundation (CNCF) CNI (Container Networking Interface) 0.7.4 has a network firewall misconfiguration which affects Kubernetes. The CNI 'portmap' plugin, used to setup HostPorts for CNI, inserts rules at the front of the iptable...
CVE-2019-0222
In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame can lead to broker Out of Memory exception making it unresponsive.
CVE-2019-7612
A sensitive data disclosure flaw was found in the way Logstash versions before 5.6.15 and 6.6.1 logs malformed URLs. If a malformed URL is specified as part of the Logstash configuration, the credentials for the URL could be inadvertently logged as p...

Copyright 2019, cxsecurity.com

 

Back to Top