Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/org.apache.struts/struts2-rest-plugin@2.5.13
Typemaven
Namespaceorg.apache.struts
Namestruts2-rest-plugin
Version2.5.13
Qualifiers
Subpath
Is_vulnerablefalse
Next_non_vulnerable_version2.5.16
Latest_non_vulnerable_version6.3.0.2
Affected_by_vulnerabilities
Fixing_vulnerabilities
0
url VCID-2f37-y2q9-e7h4
vulnerability_id VCID-2f37-y2q9-e7h4
summary 
DoS attack via crafted XML payload processed by REST Plugin using XStream library
The REST Plugin in this package is using an outdated XStream library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted XML payload.
references
0
reference_url https://struts.apache.org/docs/s2-051.html
reference_id
reference_type
scores
url https://struts.apache.org/docs/s2-051.html
1
reference_url http://www.securityfocus.com/bid/100611
reference_id
reference_type
scores
url http://www.securityfocus.com/bid/100611
2
reference_url http://www.securitytracker.com/id/1039262
reference_id
reference_type
scores
url http://www.securitytracker.com/id/1039262
3
reference_url https://access.redhat.com/security/cve/CVE-2017-9793
reference_id CVE-2017-9793
reference_type
scores
url https://access.redhat.com/security/cve/CVE-2017-9793
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2017-9793
reference_id CVE-2017-9793
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2017-9793
fixed_packages
0
url pkg:maven/org.apache.struts/struts2-rest-plugin@2.3.20.3
purl pkg:maven/org.apache.struts/struts2-rest-plugin@2.3.20.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-npge-yn8z-6fac
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-rest-plugin@2.3.20.3
1
url pkg:maven/org.apache.struts/struts2-rest-plugin@2.3.24
purl pkg:maven/org.apache.struts/struts2-rest-plugin@2.3.24
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-npge-yn8z-6fac
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-rest-plugin@2.3.24
2
url pkg:maven/org.apache.struts/struts2-rest-plugin@2.3.34
purl pkg:maven/org.apache.struts/struts2-rest-plugin@2.3.34
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-rest-plugin@2.3.34
3
url pkg:maven/org.apache.struts/struts2-rest-plugin@2.5.13
purl pkg:maven/org.apache.struts/struts2-rest-plugin@2.5.13
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-rest-plugin@2.5.13
aliases CVE-2017-9793
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2f37-y2q9-e7h4
1
url VCID-ceb4-v9ww-rkfn
vulnerability_id VCID-ceb4-v9ww-rkfn
summary 
RCE attack via REST plugin with XStream handler to deserialise XML requests
The REST Plugin in this package uses an `XStreamHandler` with an instance of `XStream` for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.
references
0
reference_url https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax
reference_id
reference_type
scores
url https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax
1
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1488482
reference_id
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1488482
2
reference_url https://cwiki.apache.org/confluence/display/WW/S2-052
reference_id
reference_type
scores
url https://cwiki.apache.org/confluence/display/WW/S2-052
3
reference_url https://github.com/apache/struts
reference_id
reference_type
scores
url https://github.com/apache/struts
4
reference_url https://github.com/apache/struts/commit/19494718865f2fb7da5ea363de3822f87fbda26
reference_id
reference_type
scores
url https://github.com/apache/struts/commit/19494718865f2fb7da5ea363de3822f87fbda26
5
reference_url https://github.com/apache/struts/commit/6dd6e5cfb7b5e020abffe7e8091bd63fe97c10a
reference_id
reference_type
scores
url https://github.com/apache/struts/commit/6dd6e5cfb7b5e020abffe7e8091bd63fe97c10a
6
reference_url https://lgtm.com/blog/apache_struts_CVE-2017-9805
reference_id
reference_type
scores
url https://lgtm.com/blog/apache_struts_CVE-2017-9805
7
reference_url https://security.netapp.com/advisory/ntap-20170907-0001
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20170907-0001
8
reference_url https://struts.apache.org/docs/s2-052.html
reference_id
reference_type
scores
url https://struts.apache.org/docs/s2-052.html
9
reference_url https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2
reference_id
reference_type
scores
url https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2
10
reference_url https://web.archive.org/web/20170909031344/http://www.securityfocus.com/bid/100609
reference_id
reference_type
scores
url https://web.archive.org/web/20170909031344/http://www.securityfocus.com/bid/100609
11
reference_url https://web.archive.org/web/20170922053119/http://www.securitytracker.com/id/1039263
reference_id
reference_type
scores
url https://web.archive.org/web/20170922053119/http://www.securitytracker.com/id/1039263
12
reference_url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-9805
reference_id
reference_type
scores
url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-9805
13
reference_url https://www.exploit-db.com/exploits/42627
reference_id
reference_type
scores
url https://www.exploit-db.com/exploits/42627
14
reference_url https://www.kb.cert.org/vuls/id/112992
reference_id
reference_type
scores
url https://www.kb.cert.org/vuls/id/112992
15
reference_url https://access.redhat.com/security/cve/CVE-2017-9805
reference_id CVE-2017-9805
reference_type
scores
url https://access.redhat.com/security/cve/CVE-2017-9805
16
reference_url https://nvd.nist.gov/vuln/detail/CVE-2017-9805
reference_id CVE-2017-9805
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2017-9805
17
reference_url https://github.com/advisories/GHSA-gg9m-fj3v-r58c
reference_id GHSA-gg9m-fj3v-r58c
reference_type
scores
url https://github.com/advisories/GHSA-gg9m-fj3v-r58c
fixed_packages
0
url pkg:maven/org.apache.struts/struts2-rest-plugin@2.3.34
purl pkg:maven/org.apache.struts/struts2-rest-plugin@2.3.34
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-rest-plugin@2.3.34
1
url pkg:maven/org.apache.struts/struts2-rest-plugin@2.5.13
purl pkg:maven/org.apache.struts/struts2-rest-plugin@2.5.13
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-rest-plugin@2.5.13
aliases CVE-2017-9805, GHSA-gg9m-fj3v-r58c
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ceb4-v9ww-rkfn
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-rest-plugin@2.5.13