Miggo Logo
Miggo Vulnerability Database
CVE-2017-7672

CVE-2017-7672:
Apache Struts Improper Input Validation vulnerability

5.9

CVSS Score

Basic Information

CVE ID
CVE-2017-7672
GHSA ID
GHSA-9gp7-jvm2-r4mx
EPSS Score
-
CWE
CWE-20
Published
10/16/2018
Updated
1/4/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.struts:struts2-coremaven>= 2.5.0, < 2.5.122.5.12

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description explicitly identifies the built-in URLValidator as the source of improper input validation. The Struts S2-047 advisory confirms that the default regex in URLValidator is flawed, and the solution involves upgrading to a version with a patched regex. The validate method in the URLValidator class is directly responsible for applying the vulnerable regex pattern, making it the clear entry point for this ReDoS vulnerability. The high confidence stems from the direct correlation between the advisory's workaround (regex replacement) and the function's role in validation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

I* *n *ppli**tion *llows *nt*r *n URL in * *orm *i*l* *n* *uilt-in URLV*li**tor is us**, it is possi*l* to pr*p*r* * sp**i*l URL w*i** will ** us** to ov*rlo** s*rv*r pro**ss w**n p*r*ormin* v*li**tion o* t** URL. Solution is to up*r*** to *p**** Str

Reasoning

T** vuln*r**ility **s*ription *xpli*itly i**nti*i*s t** *uilt-in URLV*li**tor *s t** sour** o* improp*r input v*li**tion. T** Struts S*-*** **visory *on*irms t**t t** ****ult r***x in URLV*li**tor is *l*w**, *n* t** solution involv*s up*r**in* to * v