Main Vulnerability Database SB2017090806

SB2017090806 - Remote code execution in Apache Struts

Published: September 8, 2017 Updated: September 11, 2017

Security Bulletin ID SB2017090806

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Remote code execution (CVE-ID: CVE-2017-12611)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Green

The vulnerability allows a remote attacker to execute arbitrary code.

The weakness exists due to the unsafe use of writable expression values in Freemarker content. A remote attacker can add malicious values to writable expressions that the attacker submits to the affected application for processing and execute arbitrary code in the security context of the affected application.

Remediation

Install update from vendor's website.

References

https://struts.apache.org/docs/s2-053.html