Open dev-mend-for-github-com[bot] opened 1 year ago
dev-mend-for-github-com[bot]
commented
1 year ago :heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
dev-mend-for-github-com[bot]
commented
1 year ago :information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
Apache Struts 2
Library home page: http://struts.apache.org/struts2-core/
Path to dependency file: /ksa-web-root/ksa-statistics-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar
Found in HEAD commit: f3f88b40d6fb433c739a83504cd0dfad346a4cf2
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2017-5638
### Vulnerable Library - struts2-core-2.3.31.jarApache Struts 2
Library home page: http://struts.apache.org/struts2-core/
Path to dependency file: /ksa-web-root/ksa-statistics-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar
Dependency Hierarchy: - :x: **struts2-core-2.3.31.jar** (Vulnerable Library)
Found in HEAD commit: f3f88b40d6fb433c739a83504cd0dfad346a4cf2
Found in base branch: master
### Reachability Analysis This vulnerability is potentially reachable ``` com.ksa.freemarker.TemplateTest (Application) -> freemarker.template.Configuration (Extension) -> freemarker.core._ObjectBuilderSettingEvaluator (Extension) -> freemarker.core._ObjectBuilderSettingEvaluator$BuilderExpression (Extension) ... -> org.apache.struts2.components.ActionComponent (Extension) -> org.apache.struts2.dispatcher.Dispatcher (Extension) -> ❌ org.apache.struts2.dispatcher.multipart.MultiPartRequestWrapper (Vulnerable Component) ``` ### Vulnerability DetailsThe Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.
Publish Date: 2017-03-11
URL: CVE-2017-5638
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2017-03-11
Fix Resolution: 2.3.32
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2017-12611
### Vulnerable Library - struts2-core-2.3.31.jarApache Struts 2
Library home page: http://struts.apache.org/struts2-core/
Path to dependency file: /ksa-web-root/ksa-statistics-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar
Dependency Hierarchy: - :x: **struts2-core-2.3.31.jar** (Vulnerable Library)
Found in HEAD commit: f3f88b40d6fb433c739a83504cd0dfad346a4cf2
Found in base branch: master
### Reachability Analysis This vulnerability is potentially reachable ``` com.ksa.web.struts2.views.freemarker.ShiroFreemarkerManager (Application) -> ❌ org.apache.struts2.views.freemarker.FreemarkerManager (Vulnerable Component) ``` ### Vulnerability DetailsIn Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack.
Publish Date: 2017-09-07
URL: CVE-2017-12611
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cwiki.apache.org/confluence/display/WW/S2-053
Release Date: 2017-09-07
Fix Resolution: 2.3.34
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2017-9787
### Vulnerable Library - struts2-core-2.3.31.jarApache Struts 2
Library home page: http://struts.apache.org/struts2-core/
Path to dependency file: /ksa-web-root/ksa-statistics-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar
Dependency Hierarchy: - :x: **struts2-core-2.3.31.jar** (Vulnerable Library)
Found in HEAD commit: f3f88b40d6fb433c739a83504cd0dfad346a4cf2
Found in base branch: master
### Reachability Analysis This vulnerability is potentially reachable ``` com.ksa.web.struts2.views.freemarker.ShiroFreemarkerManager (Application) -> freemarker.template.Configuration (Extension) -> freemarker.core._ObjectBuilderSettingEvaluator (Extension) -> org.apache.struts2.dispatcher.Dispatcher (Extension) ... -> com.opensymphony.xwork2.config.providers.XWorkConfigurationProvider (Extension) -> com.opensymphony.xwork2.ognl.OgnlUtil (Extension) -> ❌ com.opensymphony.xwork2.ognl.SecurityMemberAccess (Vulnerable Component) ``` ### Vulnerability DetailsWhen using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack. Solution is to upgrade to Apache Struts version 2.5.12 or 2.3.33.
Publish Date: 2017-07-13
URL: CVE-2017-9787
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2017-07-13
Fix Resolution: 2.3.33
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2020-17530
### Vulnerable Library - struts2-core-2.3.31.jarApache Struts 2
Library home page: http://struts.apache.org/struts2-core/
Path to dependency file: /ksa-web-root/ksa-statistics-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar
Dependency Hierarchy: - :x: **struts2-core-2.3.31.jar** (Vulnerable Library)
Found in HEAD commit: f3f88b40d6fb433c739a83504cd0dfad346a4cf2
Found in base branch: master
### Reachability AnalysisThe vulnerable code is unreachable
### Vulnerability DetailsForced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.
Publish Date: 2020-12-11
URL: CVE-2020-17530
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cwiki.apache.org/confluence/display/WW/S2-061
Release Date: 2020-12-11
Fix Resolution: 2.5.26
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2019-0230
### Vulnerable Library - struts2-core-2.3.31.jarApache Struts 2
Library home page: http://struts.apache.org/struts2-core/
Path to dependency file: /ksa-web-root/ksa-statistics-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar
Dependency Hierarchy: - :x: **struts2-core-2.3.31.jar** (Vulnerable Library)
Found in HEAD commit: f3f88b40d6fb433c739a83504cd0dfad346a4cf2
Found in base branch: master
### Reachability AnalysisThe vulnerable code is unreachable
### Vulnerability DetailsApache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
Publish Date: 2020-09-14
URL: CVE-2019-0230
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cwiki.apache.org/confluence/display/ww/s2-059
Release Date: 2020-09-14
Fix Resolution: 2.5.22
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2018-11776
### Vulnerable Library - struts2-core-2.3.31.jarApache Struts 2
Library home page: http://struts.apache.org/struts2-core/
Path to dependency file: /ksa-web-root/ksa-statistics-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar
Dependency Hierarchy: - :x: **struts2-core-2.3.31.jar** (Vulnerable Library)
Found in HEAD commit: f3f88b40d6fb433c739a83504cd0dfad346a4cf2
Found in base branch: master
### Reachability AnalysisThe vulnerable code is unreachable
### Vulnerability DetailsApache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace.
Publish Date: 2018-08-22
URL: CVE-2018-11776
### CVSS 3 Score Details (8.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-11776
Release Date: 2018-08-22
Fix Resolution: 2.3.35
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2019-0233
### Vulnerable Library - struts2-core-2.3.31.jarApache Struts 2
Library home page: http://struts.apache.org/struts2-core/
Path to dependency file: /ksa-web-root/ksa-statistics-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar
Dependency Hierarchy: - :x: **struts2-core-2.3.31.jar** (Vulnerable Library)
Found in HEAD commit: f3f88b40d6fb433c739a83504cd0dfad346a4cf2
Found in base branch: master
### Reachability AnalysisThe vulnerable code is unreachable
### Vulnerability DetailsAn access permission override in Apache Struts 2.0.0 to 2.5.20 may cause a Denial of Service when performing a file upload.
Publish Date: 2020-09-14
URL: CVE-2019-0233
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cwiki.apache.org/confluence/display/ww/s2-060
Release Date: 2020-09-14
Fix Resolution: 2.5.22
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2017-9804
### Vulnerable Library - struts2-core-2.3.31.jarApache Struts 2
Library home page: http://struts.apache.org/struts2-core/
Path to dependency file: /ksa-web-root/ksa-statistics-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar
Dependency Hierarchy: - :x: **struts2-core-2.3.31.jar** (Vulnerable Library)
Found in HEAD commit: f3f88b40d6fb433c739a83504cd0dfad346a4cf2
Found in base branch: master
### Reachability AnalysisThe vulnerable code is unreachable
### Vulnerability DetailsIn Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. NOTE: this vulnerability exists because of an incomplete fix for S2-047 / CVE-2017-7672.
Publish Date: 2017-09-05
URL: CVE-2017-9804
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2017-09-05
Fix Resolution: 2.3.34
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.