漏洞类别:Local
漏洞等级: 
漏洞信息
Apache Struts is an open-source Model-View-Controller (MVC) framework for creating elegant, modern Java web applications.
The REST Plugin is using an outdated JSON-lib library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted JSON payload. Affected software:
Struts 2.5 - Struts 2.5.14 QID detection logic (Authenticated):
Detection looks for "struts core" jar files in deployed web applications directories and lib folder of Tomcat server. Once it successfully finds the jar file, version information is extracted from that jar files and compared.
Please note: Our detection does not support if the applications are deployed with server configuration unpackWARs=false.
漏洞危害
A remote attacker could exploit this vulnerability to cause a denial-of-service condition, denying service to legitimate users.
解决方案
The vendor has released advisories and updates to fix these vulnerabilities.
Refer to the following link for further details: 30 November 2017 - Struts 2.5.14.1 General Availability
Patch:
Following are links for downloading patches to fix the vulnerabilities:
0daybank
文章评论