Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:maven/org.apache.struts/struts2-core@2.3.29

Type maven

Namespace org.apache.struts

Name struts2-core

Version 2.3.29

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 2.3.31

Latest_non_vulnerable_version 7.1.1

Affected_by_vulnerabilities

url VCID-dvxu-9sh6-qbef

vulnerability_id VCID-dvxu-9sh6-qbef

summary

Improper Input Validation
Using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack.

references

reference_url	https://struts.apache.org/docs/s2-053.html
reference_id
reference_type
scores
url	https://struts.apache.org/docs/s2-053.html

reference_url	http://www.securityfocus.com/bid/100829
reference_id
reference_type
scores
url	http://www.securityfocus.com/bid/100829

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2017-12611
reference_id	CVE-2017-12611
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2017-12611

fixed_packages

url	pkg:maven/org.apache.struts/struts2-core@2.3.34
purl	pkg:maven/org.apache.struts/struts2-core@2.3.34
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.34

url pkg:maven/org.apache.struts/struts2-core@2.5.12

purl pkg:maven/org.apache.struts/struts2-core@2.5.12

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-hrky-nmnv-g3eu

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.5.12

aliases CVE-2017-12611

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dvxu-9sh6-qbef

url VCID-hrky-nmnv-g3eu

vulnerability_id VCID-hrky-nmnv-g3eu

summary

Improper Input Validation
If an application allows entering a URL in a form field and built-in `URLValidator` is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL.

references

reference_url	https://struts.apache.org/docs/s2-050.html
reference_id
reference_type
scores
url	https://struts.apache.org/docs/s2-050.html

reference_url	http://www.securityfocus.com/bid/100612
reference_id
reference_type
scores
url	http://www.securityfocus.com/bid/100612

reference_url	http://www.securitytracker.com/id/1039261
reference_id
reference_type
scores
url	http://www.securitytracker.com/id/1039261

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2017-9804
reference_id	CVE-2017-9804
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2017-9804

fixed_packages

url	pkg:maven/org.apache.struts/struts2-core@2.3.34
purl	pkg:maven/org.apache.struts/struts2-core@2.3.34
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.34

url	pkg:maven/org.apache.struts/struts2-core@2.5.13
purl	pkg:maven/org.apache.struts/struts2-core@2.5.13
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.5.13

aliases CVE-2017-9804

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hrky-nmnv-g3eu

url VCID-mmth-7rgf-aqfa

vulnerability_id VCID-mmth-7rgf-aqfa

summary

Uncontrolled Resource Consumption
When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack.

references

reference_url	http://struts.apache.org/docs/s2-049.html
reference_id
reference_type
scores
url	http://struts.apache.org/docs/s2-049.html

reference_url	http://www.securityfocus.com/bid/99562
reference_id
reference_type
scores
url	http://www.securityfocus.com/bid/99562

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2017-9787
reference_id	CVE-2017-9787
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2017-9787

fixed_packages

url pkg:maven/org.apache.struts/struts2-core@2.3.33

purl pkg:maven/org.apache.struts/struts2-core@2.3.33

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dvxu-9sh6-qbef

vulnerability	VCID-hrky-nmnv-g3eu

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.33

url pkg:maven/org.apache.struts/struts2-core@2.5.12

purl pkg:maven/org.apache.struts/struts2-core@2.5.12

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-hrky-nmnv-g3eu

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.5.12

aliases CVE-2017-9787

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-mmth-7rgf-aqfa

Fixing_vulnerabilities

url VCID-4bzw-ges2-d7ek

vulnerability_id VCID-4bzw-ges2-d7ek

summary

Apache Struts forced double OGNL evaluation
Apache Struts 2.x before 2.3.29 allows remote attackers to execute arbitrary code via a "%{}" sequence in a tag attribute, aka forced double OGNL evaluation.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0785.

references

reference_url	https://github.com/apache/struts
reference_id
reference_type
scores
url	https://github.com/apache/struts

reference_url	https://security.netapp.com/advisory/ntap-20180629-0004
reference_id
reference_type
scores
url	https://security.netapp.com/advisory/ntap-20180629-0004

reference_url	https://struts.apache.org/docs/s2-036.html
reference_id
reference_type
scores
url	https://struts.apache.org/docs/s2-036.html

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2016-4461
reference_id	CVE-2016-4461
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2016-4461

reference_url	https://github.com/advisories/GHSA-864w-r5qj-h6fj
reference_id	GHSA-864w-r5qj-h6fj
reference_type
scores
url	https://github.com/advisories/GHSA-864w-r5qj-h6fj

fixed_packages

url pkg:maven/org.apache.struts/struts2-core@2.3.29

purl pkg:maven/org.apache.struts/struts2-core@2.3.29

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dvxu-9sh6-qbef

vulnerability	VCID-hrky-nmnv-g3eu

vulnerability	VCID-mmth-7rgf-aqfa

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.29

aliases CVE-2016-4461, GHSA-864w-r5qj-h6fj

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4bzw-ges2-d7ek

url VCID-npge-yn8z-6fac

vulnerability_id VCID-npge-yn8z-6fac

summary

Improper Input Validation
The REST plugin in Apache Struts 2, allows remote attackers to execute arbitrary code via a crafted expression.

references

reference_url	http://jvndb.jvn.jp/jvndb/JVNDB-2016-000110
reference_id
reference_type
scores
url	http://jvndb.jvn.jp/jvndb/JVNDB-2016-000110

reference_url	http://jvn.jp/en/jp/JVN07710476/index.html
reference_id
reference_type
scores
url	http://jvn.jp/en/jp/JVN07710476/index.html

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1348238
reference_id
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1348238

reference_url	https://struts.apache.org/docs/s2-037.html
reference_id
reference_type
scores
url	https://struts.apache.org/docs/s2-037.html

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2016-4438
reference_id	CVE-2016-4438
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2016-4438

reference_url	https://github.com/advisories/GHSA-4prj-vw9j-v6pr
reference_id	GHSA-4prj-vw9j-v6pr
reference_type
scores
url	https://github.com/advisories/GHSA-4prj-vw9j-v6pr

fixed_packages

url pkg:maven/org.apache.struts/struts2-core@2.3.29

purl pkg:maven/org.apache.struts/struts2-core@2.3.29

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dvxu-9sh6-qbef

vulnerability	VCID-hrky-nmnv-g3eu

vulnerability	VCID-mmth-7rgf-aqfa

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.29

aliases CVE-2016-4438, GHSA-4prj-vw9j-v6pr

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-npge-yn8z-6fac

url VCID-qdsq-8td3-5qa1

vulnerability_id VCID-qdsq-8td3-5qa1

summary

Improper Input Validation
The `URLValidator` class in Apache Struts 2 allows remote attackers to cause a denial of service via a `null` value for a URL field.

references

reference_url	http://jvndb.jvn.jp/jvndb/JVNDB-2016-000114
reference_id
reference_type
scores
url	http://jvndb.jvn.jp/jvndb/JVNDB-2016-000114

reference_url	http://jvn.jp/en/jp/JVN12352818/index.html
reference_id
reference_type
scores
url	http://jvn.jp/en/jp/JVN12352818/index.html

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1348253
reference_id
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1348253

reference_url	https://struts.apache.org/docs/s2-041.html
reference_id
reference_type
scores
url	https://struts.apache.org/docs/s2-041.html

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2016-4465
reference_id	CVE-2016-4465
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2016-4465

fixed_packages

url pkg:maven/org.apache.struts/struts2-core@2.3.29

purl pkg:maven/org.apache.struts/struts2-core@2.3.29

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dvxu-9sh6-qbef

vulnerability	VCID-hrky-nmnv-g3eu

vulnerability	VCID-mmth-7rgf-aqfa

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.29

url	pkg:maven/org.apache.struts/struts2-core@2.5.1
purl	pkg:maven/org.apache.struts/struts2-core@2.5.1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.5.1

aliases CVE-2016-4465

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qdsq-8td3-5qa1

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.29

Package Instance