CVE-2017-12611
Summary
| CVE | CVE-2017-12611 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2017-09-20 17:29:00 UTC |
| Updated | 2019-08-12 21:15:00 UTC |
| Description | In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack. |
Risk And Classification
Problem Types: CWE-20
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Struts | 2.0.1 | All | All | All |
| Application | Apache | Struts | 2.0.10 | All | All | All |
| Application | Apache | Struts | 2.0.11 | All | All | All |
| Application | Apache | Struts | 2.0.11.1 | All | All | All |
| Application | Apache | Struts | 2.0.11.2 | All | All | All |
| Application | Apache | Struts | 2.0.12 | All | All | All |
| Application | Apache | Struts | 2.0.13 | All | All | All |
| Application | Apache | Struts | 2.0.14 | All | All | All |
| Application | Apache | Struts | 2.0.2 | All | All | All |
| Application | Apache | Struts | 2.0.3 | All | All | All |
| Application | Apache | Struts | 2.0.4 | All | All | All |
| Application | Apache | Struts | 2.0.5 | All | All | All |
| Application | Apache | Struts | 2.0.6 | All | All | All |
| Application | Apache | Struts | 2.0.7 | All | All | All |
| Application | Apache | Struts | 2.0.8 | All | All | All |
| Application | Apache | Struts | 2.0.9 | All | All | All |
| Application | Apache | Struts | 2.1.0 | All | All | All |
| Application | Apache | Struts | 2.1.1 | All | All | All |
| Application | Apache | Struts | 2.1.2 | All | All | All |
| Application | Apache | Struts | 2.1.3 | All | All | All |
| Application | Apache | Struts | 2.1.4 | All | All | All |
| Application | Apache | Struts | 2.1.5 | All | All | All |
| Application | Apache | Struts | 2.1.6 | All | All | All |
| Application | Apache | Struts | 2.1.8 | All | All | All |
| Application | Apache | Struts | 2.1.8.1 | All | All | All |
| Application | Apache | Struts | 2.2.1 | All | All | All |
| Application | Apache | Struts | 2.2.1.1 | All | All | All |
| Application | Apache | Struts | 2.2.3 | All | All | All |
| Application | Apache | Struts | 2.2.3.1 | All | All | All |
| Application | Apache | Struts | 2.3.1 | All | All | All |
| Application | Apache | Struts | 2.3.1.1 | All | All | All |
| Application | Apache | Struts | 2.3.1.2 | All | All | All |
| Application | Apache | Struts | 2.3.10 | All | All | All |
| Application | Apache | Struts | 2.3.11 | All | All | All |
| Application | Apache | Struts | 2.3.12 | All | All | All |
| Application | Apache | Struts | 2.3.13 | All | All | All |
| Application | Apache | Struts | 2.3.14 | All | All | All |
| Application | Apache | Struts | 2.3.14.1 | All | All | All |
| Application | Apache | Struts | 2.3.14.2 | All | All | All |
| Application | Apache | Struts | 2.3.14.3 | All | All | All |
| Application | Apache | Struts | 2.3.15 | All | All | All |
| Application | Apache | Struts | 2.3.15.1 | All | All | All |
| Application | Apache | Struts | 2.3.15.2 | All | All | All |
| Application | Apache | Struts | 2.3.15.3 | All | All | All |
| Application | Apache | Struts | 2.3.16 | All | All | All |
| Application | Apache | Struts | 2.3.16.1 | All | All | All |
| Application | Apache | Struts | 2.3.16.2 | All | All | All |
| Application | Apache | Struts | 2.3.16.3 | All | All | All |
| Application | Apache | Struts | 2.3.17 | All | All | All |
| Application | Apache | Struts | 2.3.19 | All | All | All |
| Application | Apache | Struts | 2.3.20 | All | All | All |
| Application | Apache | Struts | 2.3.20.1 | All | All | All |
| Application | Apache | Struts | 2.3.20.2 | All | All | All |
| Application | Apache | Struts | 2.3.21 | All | All | All |
| Application | Apache | Struts | 2.3.22 | All | All | All |
| Application | Apache | Struts | 2.3.23 | All | All | All |
| Application | Apache | Struts | 2.3.24.2 | All | All | All |
| Application | Apache | Struts | 2.3.24.3 | All | All | All |
| Application | Apache | Struts | 2.3.25 | All | All | All |
| Application | Apache | Struts | 2.3.26 | All | All | All |
| Application | Apache | Struts | 2.3.27 | All | All | All |
| Application | Apache | Struts | 2.3.28 | All | All | All |
| Application | Apache | Struts | 2.3.28.1 | All | All | All |
| Application | Apache | Struts | 2.3.29 | All | All | All |
| Application | Apache | Struts | 2.3.3 | All | All | All |
| Application | Apache | Struts | 2.3.30 | All | All | All |
| Application | Apache | Struts | 2.3.31 | All | All | All |
| Application | Apache | Struts | 2.3.32 | All | All | All |
| Application | Apache | Struts | 2.3.33 | All | All | All |
| Application | Apache | Struts | 2.3.4 | All | All | All |
| Application | Apache | Struts | 2.3.4.1 | All | All | All |
| Application | Apache | Struts | 2.3.5 | All | All | All |
| Application | Apache | Struts | 2.3.6 | All | All | All |
| Application | Apache | Struts | 2.3.7 | All | All | All |
| Application | Apache | Struts | 2.3.8 | All | All | All |
| Application | Apache | Struts | 2.3.9 | All | All | All |
| Application | Apache | Struts | 2.5 | All | All | All |
| Application | Apache | Struts | 2.5 | beta1 | All | All |
| Application | Apache | Struts | 2.5 | beta2 | All | All |
| Application | Apache | Struts | 2.5 | beta3 | All | All |
| Application | Apache | Struts | 2.5.1 | All | All | All |
| Application | Apache | Struts | 2.5.10 | All | All | All |
| Application | Apache | Struts | 2.5.2 | All | All | All |
| Application | Apache | Struts | 2.5.3 | All | All | All |
| Application | Apache | Struts | 2.5.4 | All | All | All |
| Application | Apache | Struts | 2.5.5 | All | All | All |
| Application | Apache | Struts | 2.5.6 | All | All | All |
| Application | Apache | Struts | 2.5.7 | All | All | All |
| Application | Apache | Struts | 2.5.8 | All | All | All |
| Application | Apache | Struts | 2.5.9 | All | All | All |
| Application | Apache | Struts | 2.0.1 | All | All | All |
| Application | Apache | Struts | 2.0.10 | All | All | All |
| Application | Apache | Struts | 2.0.11 | All | All | All |
| Application | Apache | Struts | 2.0.11.1 | All | All | All |
| Application | Apache | Struts | 2.0.11.2 | All | All | All |
| Application | Apache | Struts | 2.0.12 | All | All | All |
| Application | Apache | Struts | 2.0.13 | All | All | All |
| Application | Apache | Struts | 2.0.14 | All | All | All |
| Application | Apache | Struts | 2.0.2 | All | All | All |
| Application | Apache | Struts | 2.0.3 | All | All | All |
| Application | Apache | Struts | 2.0.4 | All | All | All |
| Application | Apache | Struts | 2.0.5 | All | All | All |
| Application | Apache | Struts | 2.0.6 | All | All | All |
| Application | Apache | Struts | 2.0.7 | All | All | All |
| Application | Apache | Struts | 2.0.8 | All | All | All |
| Application | Apache | Struts | 2.0.9 | All | All | All |
| Application | Apache | Struts | 2.1.0 | All | All | All |
| Application | Apache | Struts | 2.1.1 | All | All | All |
| Application | Apache | Struts | 2.1.2 | All | All | All |
| Application | Apache | Struts | 2.1.3 | All | All | All |
| Application | Apache | Struts | 2.1.4 | All | All | All |
| Application | Apache | Struts | 2.1.5 | All | All | All |
| Application | Apache | Struts | 2.1.6 | All | All | All |
| Application | Apache | Struts | 2.1.8 | All | All | All |
| Application | Apache | Struts | 2.1.8.1 | All | All | All |
| Application | Apache | Struts | 2.2.1 | All | All | All |
| Application | Apache | Struts | 2.2.1.1 | All | All | All |
| Application | Apache | Struts | 2.2.3 | All | All | All |
| Application | Apache | Struts | 2.2.3.1 | All | All | All |
| Application | Apache | Struts | 2.3.1 | All | All | All |
| Application | Apache | Struts | 2.3.1.1 | All | All | All |
| Application | Apache | Struts | 2.3.1.2 | All | All | All |
| Application | Apache | Struts | 2.3.10 | All | All | All |
| Application | Apache | Struts | 2.3.11 | All | All | All |
| Application | Apache | Struts | 2.3.12 | All | All | All |
| Application | Apache | Struts | 2.3.13 | All | All | All |
| Application | Apache | Struts | 2.3.14 | All | All | All |
| Application | Apache | Struts | 2.3.14.1 | All | All | All |
| Application | Apache | Struts | 2.3.14.2 | All | All | All |
| Application | Apache | Struts | 2.3.14.3 | All | All | All |
| Application | Apache | Struts | 2.3.15 | All | All | All |
| Application | Apache | Struts | 2.3.15.1 | All | All | All |
| Application | Apache | Struts | 2.3.15.2 | All | All | All |
| Application | Apache | Struts | 2.3.15.3 | All | All | All |
| Application | Apache | Struts | 2.3.16 | All | All | All |
| Application | Apache | Struts | 2.3.16.1 | All | All | All |
| Application | Apache | Struts | 2.3.16.2 | All | All | All |
| Application | Apache | Struts | 2.3.16.3 | All | All | All |
| Application | Apache | Struts | 2.3.17 | All | All | All |
| Application | Apache | Struts | 2.3.19 | All | All | All |
| Application | Apache | Struts | 2.3.20 | All | All | All |
| Application | Apache | Struts | 2.3.20.1 | All | All | All |
| Application | Apache | Struts | 2.3.20.2 | All | All | All |
| Application | Apache | Struts | 2.3.21 | All | All | All |
| Application | Apache | Struts | 2.3.22 | All | All | All |
| Application | Apache | Struts | 2.3.23 | All | All | All |
| Application | Apache | Struts | 2.3.24.2 | All | All | All |
| Application | Apache | Struts | 2.3.24.3 | All | All | All |
| Application | Apache | Struts | 2.3.25 | All | All | All |
| Application | Apache | Struts | 2.3.26 | All | All | All |
| Application | Apache | Struts | 2.3.27 | All | All | All |
| Application | Apache | Struts | 2.3.28 | All | All | All |
| Application | Apache | Struts | 2.3.28.1 | All | All | All |
| Application | Apache | Struts | 2.3.29 | All | All | All |
| Application | Apache | Struts | 2.3.3 | All | All | All |
| Application | Apache | Struts | 2.3.30 | All | All | All |
| Application | Apache | Struts | 2.3.31 | All | All | All |
| Application | Apache | Struts | 2.3.32 | All | All | All |
| Application | Apache | Struts | 2.3.33 | All | All | All |
| Application | Apache | Struts | 2.3.4 | All | All | All |
| Application | Apache | Struts | 2.3.4.1 | All | All | All |
| Application | Apache | Struts | 2.3.5 | All | All | All |
| Application | Apache | Struts | 2.3.6 | All | All | All |
| Application | Apache | Struts | 2.3.7 | All | All | All |
| Application | Apache | Struts | 2.3.8 | All | All | All |
| Application | Apache | Struts | 2.3.9 | All | All | All |
| Application | Apache | Struts | 2.5 | All | All | All |
| Application | Apache | Struts | 2.5 | beta1 | All | All |
| Application | Apache | Struts | 2.5 | beta2 | All | All |
| Application | Apache | Struts | 2.5 | beta3 | All | All |
| Application | Apache | Struts | 2.5.1 | All | All | All |
| Application | Apache | Struts | 2.5.10 | All | All | All |
| Application | Apache | Struts | 2.5.2 | All | All | All |
| Application | Apache | Struts | 2.5.3 | All | All | All |
| Application | Apache | Struts | 2.5.4 | All | All | All |
| Application | Apache | Struts | 2.5.5 | All | All | All |
| Application | Apache | Struts | 2.5.6 | All | All | All |
| Application | Apache | Struts | 2.5.7 | All | All | All |
| Application | Apache | Struts | 2.5.8 | All | All | All |
| Application | Apache | Struts | 2.5.9 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-003.txt | CONFIRM | www.arubanetworks.com | Mitigation, Third Party Advisory |
| Oracle Security Alert CVE-2017-9805 | CONFIRM | www.oracle.com | Patch, Third Party Advisory |
| S2-053 - Apache Struts 2 Documentation - Apache Software Foundation | CONFIRM | struts.apache.org | Exploit, Vendor Advisory |
| Apache Struts CVE-2017-12611 Remote Code Execution Vulnerability | BID | www.securityfocus.com | Third Party Advisory, VDB Entry |
| Page not found - NetApp Knowledgebase | CONFIRM | kb.netapp.com | Patch, Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 981201 Java (maven) Security Update for org.apache.struts:struts2-core (GHSA-8fx9-5hx8-crhm)