Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-vztu-pap6-37ev
Summary
Apache Struts vulnerable to remote arbitrary command execution due to improper input validation
Apache Struts versions prior to 2.3.32 and 2.5.10.1 contain incorrect exception handling and error-message generation during file-upload attempts using the Jakarta Multipart parser, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.
Aliases
0
alias CVE-2017-5638
1
alias GHSA-j77q-2qqg-6989
Fixed_packages
0
url pkg:maven/org.apache.struts/struts2-core@2.3.32
purl pkg:maven/org.apache.struts/struts2-core@2.3.32
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-mmth-7rgf-aqfa
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.32
1
url pkg:maven/org.apache.struts/struts2-core@2.5.10.1
purl pkg:maven/org.apache.struts/struts2-core@2.5.10.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-21k4-5a8r-7bd9
1
vulnerability VCID-hrky-nmnv-g3eu
2
vulnerability VCID-mmth-7rgf-aqfa
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.5.10.1
Affected_packages
0
url pkg:maven/org.apache.struts/struts2-core@2.3.0
purl pkg:maven/org.apache.struts/struts2-core@2.3.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cv6j-98vx-n3ed
1
vulnerability VCID-vztu-pap6-37ev
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.3.0
1
url pkg:maven/org.apache.struts/struts2-core@2.5.0
purl pkg:maven/org.apache.struts/struts2-core@2.5.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-8cmt-z8g9-duf2
1
vulnerability VCID-cv6j-98vx-n3ed
2
vulnerability VCID-vztu-pap6-37ev
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.struts/struts2-core@2.5.0
References
0
reference_url https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites
reference_id
reference_type
scores
url https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites
1
reference_url https://cwiki.apache.org/confluence/display/WW/S2-045
reference_id
reference_type
scores
url https://cwiki.apache.org/confluence/display/WW/S2-045
2
reference_url https://cwiki.apache.org/confluence/display/WW/S2-046
reference_id
reference_type
scores
url https://cwiki.apache.org/confluence/display/WW/S2-046
3
reference_url https://exploit-db.com/exploits/41570
reference_id
reference_type
scores
url https://exploit-db.com/exploits/41570
4
reference_url https://git1-us-west.apache.org/repos/asf?p=struts.git%3Ba=commit%3Bh=352306493971e7d5a756d61780d57a76eb1f519a
reference_id
reference_type
scores
url https://git1-us-west.apache.org/repos/asf?p=struts.git%3Ba=commit%3Bh=352306493971e7d5a756d61780d57a76eb1f519a
5
reference_url https://git1-us-west.apache.org/repos/asf?p=struts.git%3Ba=commit%3Bh=6b8272ce47160036ed120a48345d9aa884477228
reference_id
reference_type
scores
url https://git1-us-west.apache.org/repos/asf?p=struts.git%3Ba=commit%3Bh=6b8272ce47160036ed120a48345d9aa884477228
6
reference_url https://git1-us-west.apache.org/repos/asf?p=struts.git;a=commit;h=352306493971e7d5a756d61780d57a76eb1f519a
reference_id
reference_type
scores
url https://git1-us-west.apache.org/repos/asf?p=struts.git;a=commit;h=352306493971e7d5a756d61780d57a76eb1f519a
7
reference_url https://git1-us-west.apache.org/repos/asf?p=struts.git;a=commit;h=6b8272ce47160036ed120a48345d9aa884477228
reference_id
reference_type
scores
url https://git1-us-west.apache.org/repos/asf?p=struts.git;a=commit;h=6b8272ce47160036ed120a48345d9aa884477228
8
reference_url https://github.com/apache/struts
reference_id
reference_type
scores
url https://github.com/apache/struts
9
reference_url https://github.com/apache/struts/commit/352306493971e7d5a756d61780d57a76eb1f519a
reference_id
reference_type
scores
url https://github.com/apache/struts/commit/352306493971e7d5a756d61780d57a76eb1f519a
10
reference_url https://github.com/apache/struts/commit/b06dd50af2a3319dd896bf5c2f4972d2b772cf2b
reference_id
reference_type
scores
url https://github.com/apache/struts/commit/b06dd50af2a3319dd896bf5c2f4972d2b772cf2b
11
reference_url https://github.com/mazen160/struts-pwn
reference_id
reference_type
scores
url https://github.com/mazen160/struts-pwn
12
reference_url https://github.com/rapid7/metasploit-framework/issues/8064
reference_id
reference_type
scores
url https://github.com/rapid7/metasploit-framework/issues/8064
13
reference_url https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03733en_us
reference_id
reference_type
scores
url https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03733en_us
14
reference_url https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03749en_us
reference_id
reference_type
scores
url https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03749en_us
15
reference_url https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03723en_us
reference_id
reference_type
scores
url https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03723en_us
16
reference_url https://isc.sans.edu/diary/22169
reference_id
reference_type
scores
url https://isc.sans.edu/diary/22169
17
reference_url https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7@%3Cannounce.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7@%3Cannounce.apache.org%3E
18
reference_url https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E
19
reference_url https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E
20
reference_url https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E
21
reference_url https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922@%3Cannounce.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922@%3Cannounce.apache.org%3E
22
reference_url https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E
reference_id
reference_type
scores
url https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E
23
reference_url https://nmap.org/nsedoc/scripts/http-vuln-cve2017-5638.html
reference_id
reference_type
scores
url https://nmap.org/nsedoc/scripts/http-vuln-cve2017-5638.html
24
reference_url https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt
reference_id
reference_type
scores
url https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt
25
reference_url https://security.netapp.com/advisory/ntap-20170310-0001
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20170310-0001
26
reference_url https://struts.apache.org/docs/s2-045.html
reference_id
reference_type
scores
url https://struts.apache.org/docs/s2-045.html
27
reference_url https://struts.apache.org/docs/s2-046.html
reference_id
reference_type
scores
url https://struts.apache.org/docs/s2-046.html
28
reference_url https://support.lenovo.com/us/en/product_security/len-14200
reference_id
reference_type
scores
url https://support.lenovo.com/us/en/product_security/len-14200
29
reference_url https://twitter.com/theog150/status/841146956135124993
reference_id
reference_type
scores
url https://twitter.com/theog150/status/841146956135124993
30
reference_url https://web.archive.org/web/20170311203630/http://www.securityfocus.com/bid/96729
reference_id
reference_type
scores
url https://web.archive.org/web/20170311203630/http://www.securityfocus.com/bid/96729
31
reference_url https://web.archive.org/web/20170921030226/http://www.securitytracker.com/id/1037973
reference_id
reference_type
scores
url https://web.archive.org/web/20170921030226/http://www.securitytracker.com/id/1037973
32
reference_url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-5638
reference_id
reference_type
scores
url https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-5638
33
reference_url https://www.exploit-db.com/exploits/41614
reference_id
reference_type
scores
url https://www.exploit-db.com/exploits/41614
34
reference_url https://www.kb.cert.org/vuls/id/834067
reference_id
reference_type
scores
url https://www.kb.cert.org/vuls/id/834067
35
reference_url https://www.symantec.com/security-center/network-protection-security-advisories/SA145
reference_id
reference_type
scores
url https://www.symantec.com/security-center/network-protection-security-advisories/SA145
36
reference_url https://nvd.nist.gov/vuln/detail/CVE-2017-5638
reference_id CVE-2017-5638
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2017-5638
37
reference_url https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2
reference_id CVE-2017-5638-NEW-REMOTE-CODE-EXECUTION-RCE-VULNERABILITY-IN-APACHE-STRUTS-2
reference_type
scores
url https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2
38
reference_url https://github.com/advisories/GHSA-j77q-2qqg-6989
reference_id GHSA-j77q-2qqg-6989
reference_type
scores
url https://github.com/advisories/GHSA-j77q-2qqg-6989
Weaknesses
0
cwe_id 20
name Improper Input Validation
description The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
1
cwe_id 755
name Improper Handling of Exceptional Conditions
description The product does not handle or incorrectly handles an exceptional condition.
2
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
3
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
Exploits
Severity_range_scorenull
Exploitabilitynull
Weighted_severitynull
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-vztu-pap6-37ev