This script is Copyright (C) 2017 Tenable Network Security, Inc.
A web application running on the remote host uses a Java framework
that is affected by multiple denial of service vulnerabilities.
The version of Apache Struts running on the remote host is 2.3.x prior
to 2.3.33, or 2.5.x prior to 2.5.12. It is, therefore, affected by
multiple vulnerabilities :
- A denial of service vulnerability exists when handling
a specially crafted URL in a form field when the
built-in URL validator is used. An unauthenticated,
remote attacker can exploit this to cause the server
process to overload. Note that this issue only affects
version 2.5.x. (CVE-2017-7672)
- A flaw exists in unspecified Spring AOP functionality
that is used to secure Struts actions. An authenticated,
remote attacker can exploit this to cause a denial of
service condition. (CVE-2017-9787)
Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.
See also :
Upgrade to Apache Struts version 2.3.33 / 2.5.12 or later.
Alternatively, apply the workaround referenced in the vendor advisory.
Risk factor :
Medium / CVSS Base Score : 6.8
CVSS Temporal Score : 5.0
Public Exploit Available : false