Web application abuses : Apache Struts Security Update (S2-051, S2-052)

Anfälligkeitssuche		Suche in 219043 CVE Beschreibungen und 99761 Test Beschreibungen, Zugriff auf 10,000+ Quellverweise.
	Tests CVE Alle

Test Kennung: 1.3.6.1.4.1.25623.1.0.108624

Kategorie: Web application abuses

Titel: Apache Struts Security Update (S2-051, S2-052) - Version Check

Zusammenfassung: Apache Struts is prone to multiple vulnerabilities.

Beschreibung: Summary:
Apache Struts is prone to multiple vulnerabilities.

Vulnerability Insight:
- CVE-2017-9793: The REST Plugin is using outdated
XStream library which is vulnerable and allow perform a DoS attack using malicious
request with specially crafted XML payload.

- CVE-2017-9805: The REST Plugin is using a XStreamHandler with an instance of XStream
for deserialization without any type filtering and this can lead to Remote Code
Execution when deserializing XML payloads.

Vulnerability Impact:
- CVE-2017-9793: An attacker can exploit this issue to
cause a DoS condition, denying service to legitimate users.

- CVE-2017-9805: A RCE attack is possible when using the Struts REST plugin with XStream
handler to deserialise XML requests.

Affected Software/OS:
Apache Struts 2.1.6 through 2.3.33 and 2.5 through
2.5.12.

Solution:
Update to version 2.3.34, 2.5.13 or later.

CVSS Score:
6.8

CVSS Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P

Querverweis: BugTraq ID: 100609
BugTraq ID: 100611
Common Vulnerability Exposure (CVE) ID: CVE-2017-9793
http://www.securityfocus.com/bid/100611
Cisco Security Advisory: 20170907 Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products: September 2017
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2
http://www.securitytracker.com/id/1039262
Common Vulnerability Exposure (CVE) ID: CVE-2017-9805
http://www.securityfocus.com/bid/100609
CERT/CC vulnerability note: VU#112992
https://www.kb.cert.org/vuls/id/112992
https://www.exploit-db.com/exploits/42627/
https://lgtm.com/blog/apache_struts_CVE-2017-9805
http://www.securitytracker.com/id/1039263

Copyright Copyright (C) 2019 Greenbone Networks GmbH

Dies ist nur einer von 99761 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus.
Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.

Test Kennung:	1.3.6.1.4.1.25623.1.0.108624
Kategorie:	Web application abuses
Titel:	Apache Struts Security Update (S2-051, S2-052) - Version Check
Zusammenfassung:	Apache Struts is prone to multiple vulnerabilities.
Beschreibung:	Summary: Apache Struts is prone to multiple vulnerabilities. Vulnerability Insight: - CVE-2017-9793: The REST Plugin is using outdated XStream library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted XML payload. - CVE-2017-9805: The REST Plugin is using a XStreamHandler with an instance of XStream for deserialization without any type filtering and this can lead to Remote Code Execution when deserializing XML payloads. Vulnerability Impact: - CVE-2017-9793: An attacker can exploit this issue to cause a DoS condition, denying service to legitimate users. - CVE-2017-9805: A RCE attack is possible when using the Struts REST plugin with XStream handler to deserialise XML requests. Affected Software/OS: Apache Struts 2.1.6 through 2.3.33 and 2.5 through 2.5.12. Solution: Update to version 2.3.34, 2.5.13 or later. CVSS Score: 6.8 CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Querverweis:	BugTraq ID: 100609 BugTraq ID: 100611 Common Vulnerability Exposure (CVE) ID: CVE-2017-9793 http://www.securityfocus.com/bid/100611 Cisco Security Advisory: 20170907 Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products: September 2017 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2 http://www.securitytracker.com/id/1039262 Common Vulnerability Exposure (CVE) ID: CVE-2017-9805 http://www.securityfocus.com/bid/100609 CERT/CC vulnerability note: VU#112992 https://www.kb.cert.org/vuls/id/112992 https://www.exploit-db.com/exploits/42627/ https://lgtm.com/blog/apache_struts_CVE-2017-9805 http://www.securitytracker.com/id/1039263
Copyright	Copyright (C) 2019 Greenbone Networks GmbH