cvelistv5 - cve-2023-41835

CVE-2023-41835 (GCVE-0-2023-41835)

Vulnerability from cvelistv5 – Published: 2023-12-05 08:37 – Updated: 2025-11-04 19:21

Summary

When a Multipart request is performed but some of the fields exceed the maxStringLength limit, the upload files will remain in struts.multipart.saveDir even if the request has been denied. Users are recommended to upgrade to versions Struts 2.5.32 or 6.1.2.2 or Struts 6.3.0.1 or greater, which fixe this issue.

Severity ?

No CVSS data available.

CWE

CWE-459 - Incomplete Cleanup

Assigner

apache

References

URL

Tags

	https://lists.apache.org/thread/6wj530kh3ono8phr6…	mailing-listvendor-advisory
	https://www.openwall.com/lists/oss-security/2023/…

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Struts	Affected: 2.0.0 , ≤ 2.5.31 (semver) Affected: 6.1.2.1 , ≤ 6.3.0 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T19:21:09.564Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "mailing-list",
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/6wj530kh3ono8phr642y9sqkl67ys2ft"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.openwall.com/lists/oss-security/2023/12/09/1"
          },
          {
            "url": "https://security.netapp.com/advisory/ntap-20231013-0001/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-41835",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-28T15:55:29.926474Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-28T15:56:00.942Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.struts",
          "product": "Apache Struts",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "2.5.31",
              "status": "affected",
              "version": "2.0.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.3.0",
              "status": "affected",
              "version": "6.1.2.1",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eWhen a Multipart request is performed but some of the fields exceed the \u003c/span\u003e\u003ccode\u003emaxStringLength\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp; limit, the upload files will remain in \u003c/span\u003e\u003ccode\u003estruts.multipart.saveDir\u003c/code\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp; even if the request has been denied.\u003c/span\u003e\u003cbr\u003eUsers are recommended to upgrade to versions \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eStruts 2.5.32 or 6.1.2.2 or Struts 6.3.0.1 or greater\u003c/span\u003e, which fixe this issue."
            }
          ],
          "value": "When a Multipart request is performed but some of the fields exceed the maxStringLength\u00a0 limit, the upload files will remain in struts.multipart.saveDir\u00a0 even if the request has been denied.\nUsers are recommended to upgrade to versions Struts 2.5.32 or 6.1.2.2 or Struts 6.3.0.1 or greater, which fixe this issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-459",
              "description": "CWE-459 Incomplete Cleanup",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-12-12T08:42:20.578Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "mailing-list",
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/6wj530kh3ono8phr642y9sqkl67ys2ft"
        },
        {
          "url": "https://www.openwall.com/lists/oss-security/2023/12/09/1"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Struts: excessive disk usage",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2023-41835",
    "datePublished": "2023-12-05T08:37:31.602Z",
    "dateReserved": "2023-09-04T07:53:19.551Z",
    "dateUpdated": "2025-11-04T19:21:09.564Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2.0.0\", \"versionEndExcluding\": \"2.5.32\", \"matchCriteriaId\": \"F9AB79F4-6FCB-42EC-B241-099B97CC99ED\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"6.1.2.1\", \"versionEndExcluding\": \"6.3.0.1\", \"matchCriteriaId\": \"97723A4F-E3A6-4AF3-ACC9-3C9618A75220\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"When a Multipart request is performed but some of the fields exceed the maxStringLength\\u00a0 limit, the upload files will remain in struts.multipart.saveDir\\u00a0 even if the request has been denied.\\nUsers are recommended to upgrade to versions Struts 2.5.32 or 6.1.2.2 or Struts 6.3.0.1 or greater, which fixe this issue.\"}, {\"lang\": \"es\", \"value\": \"Cuando se realiza una solicitud multiparte pero algunos de los campos exceden el l\\u00edmite maxStringLength, los archivos cargados permanecer\\u00e1n en struts.multipart.saveDir incluso si la solicitud ha sido denegada. Se recomienda a los usuarios actualizar a las versiones Struts 2.5.32 o 6.1.2.2 o Struts 6.3.0.1 o superior, que solucionan este problema.\"}]",
      "id": "CVE-2023-41835",
      "lastModified": "2024-11-21T08:21:46.180",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}]}",
      "published": "2023-12-05T09:15:07.093",
      "references": "[{\"url\": \"https://lists.apache.org/thread/6wj530kh3ono8phr642y9sqkl67ys2ft\", \"source\": \"security@apache.org\", \"tags\": [\"Mailing List\", \"Release Notes\"]}, {\"url\": \"https://www.openwall.com/lists/oss-security/2023/12/09/1\", \"source\": \"security@apache.org\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.apache.org/thread/6wj530kh3ono8phr642y9sqkl67ys2ft\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Release Notes\"]}, {\"url\": \"https://www.openwall.com/lists/oss-security/2023/12/09/1\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "security@apache.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security@apache.org\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-459\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-459\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-41835\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2023-12-05T09:15:07.093\",\"lastModified\":\"2025-11-04T20:16:46.207\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"When a Multipart request is performed but some of the fields exceed the maxStringLength\u00a0 limit, the upload files will remain in struts.multipart.saveDir\u00a0 even if the request has been denied.\\nUsers are recommended to upgrade to versions Struts 2.5.32 or 6.1.2.2 or Struts 6.3.0.1 or greater, which fixe this issue.\"},{\"lang\":\"es\",\"value\":\"Cuando se realiza una solicitud multiparte pero algunos de los campos exceden el l\u00edmite maxStringLength, los archivos cargados permanecer\u00e1n en struts.multipart.saveDir incluso si la solicitud ha sido denegada. Se recomienda a los usuarios actualizar a las versiones Struts 2.5.32 o 6.1.2.2 o Struts 6.3.0.1 o superior, que solucionan este problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-459\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-459\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.0.0\",\"versionEndExcluding\":\"2.5.32\",\"matchCriteriaId\":\"F9AB79F4-6FCB-42EC-B241-099B97CC99ED\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.1.2.1\",\"versionEndExcluding\":\"6.3.0.1\",\"matchCriteriaId\":\"97723A4F-E3A6-4AF3-ACC9-3C9618A75220\"}]}]}],\"references\":[{\"url\":\"https://lists.apache.org/thread/6wj530kh3ono8phr642y9sqkl67ys2ft\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Release Notes\"]},{\"url\":\"https://www.openwall.com/lists/oss-security/2023/12/09/1\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread/6wj530kh3ono8phr642y9sqkl67ys2ft\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Release Notes\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20231013-0001/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.openwall.com/lists/oss-security/2023/12/09/1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://lists.apache.org/thread/6wj530kh3ono8phr642y9sqkl67ys2ft\", \"tags\": [\"mailing-list\", \"vendor-advisory\", \"x_transferred\"]}, {\"url\": \"https://www.openwall.com/lists/oss-security/2023/12/09/1\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T19:09:48.717Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-41835\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-05-28T15:55:29.926474Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-28T15:55:55.265Z\"}}], \"cna\": {\"title\": \"Apache Struts: excessive disk usage\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"metrics\": [{\"other\": {\"type\": \"Textual description of severity\", \"content\": {\"text\": \"moderate\"}}}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache Struts\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.0.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"2.5.31\"}, {\"status\": \"affected\", \"version\": \"6.1.2.1\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.3.0\"}], \"packageName\": \"org.apache.struts\", \"collectionURL\": \"https://repo.maven.apache.org/maven2\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://lists.apache.org/thread/6wj530kh3ono8phr642y9sqkl67ys2ft\", \"tags\": [\"mailing-list\", \"vendor-advisory\"]}, {\"url\": \"https://www.openwall.com/lists/oss-security/2023/12/09/1\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"When a Multipart request is performed but some of the fields exceed the maxStringLength\\u00a0 limit, the upload files will remain in struts.multipart.saveDir\\u00a0 even if the request has been denied.\\nUsers are recommended to upgrade to versions Struts 2.5.32 or 6.1.2.2 or Struts 6.3.0.1 or greater, which fixe this issue.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eWhen a Multipart request is performed but some of the fields exceed the \u003c/span\u003e\u003ccode\u003emaxStringLength\u003c/code\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u0026nbsp; limit, the upload files will remain in \u003c/span\u003e\u003ccode\u003estruts.multipart.saveDir\u003c/code\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u0026nbsp; even if the request has been denied.\u003c/span\u003e\u003cbr\u003eUsers are recommended to upgrade to versions \u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eStruts 2.5.32 or 6.1.2.2 or Struts 6.3.0.1 or greater\u003c/span\u003e, which fixe this issue.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-459\", \"description\": \"CWE-459 Incomplete Cleanup\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2023-12-12T08:42:20.578Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-41835\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-28T15:56:00.942Z\", \"dateReserved\": \"2023-09-04T07:53:19.551Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2023-12-05T08:37:31.602Z\", \"assignerShortName\": \"apache\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

CERTFR-2023-AVI-1055

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données, une exécution de code arbitraire à distance, un déni de service à distance et une élévation de privilèges.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

IBM QRadar SIEM versions 7.5.x antérieures à 7.5.0 UP7 IF03
IBM Sterling B2B Integrator versions 6.0.0.x antérieures à 6.0.3.9
IBM Sterling B2B Integrator versions 6.1.0.x antérieures à 6.1.0.8
IBM Sterling B2B Integrator versions 6.1.1.x antérieures à 6.1.1.4
IBM Sterling B2B Integrator versions 6.1.2.x antérieures à 6.1.2.3
IBM Sterling B2B Integrator versions 6.1.2.x antérieures à 6.2.0.0
IBM AIX version 7.3
IBM AIX version 7.2
IBM VIOS version 4.1
IBM VIOS version 3.1

Se référer aux bulletin de l'éditeur pour les versions des fichiers vulnérables (cf. section Documentation).

Impacted products

	Vendor	Product	Description

References

Title

Publication Time

Tags

Bulletin de sécurité IBM 7099297 du 18 décembre 2023	None	vendor-advisory
Bulletin de sécurité IBM 7101062 du 21 décembre 2023	None	vendor-advisory
Bulletin de sécurité IBM 7099862 du 19 décembre 2023	None	vendor-advisory
Bulletin de sécurité IBM 7099313 du 18 décembre 2023	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [],
  "affected_systems_content": "\u003cul\u003e \u003cli\u003eIBM QRadar SIEM versions 7.5.x ant\u00e9rieures \u00e0 7.5.0 UP7 IF03\u003c/li\u003e \u003cli\u003eIBM Sterling B2B Integrator versions 6.0.0.x ant\u00e9rieures \u00e0 6.0.3.9\u003c/li\u003e \u003cli\u003eIBM Sterling B2B Integrator versions 6.1.0.x ant\u00e9rieures \u00e0 6.1.0.8\u003c/li\u003e \u003cli\u003eIBM Sterling B2B Integrator versions 6.1.1.x ant\u00e9rieures \u00e0 6.1.1.4\u003c/li\u003e \u003cli\u003eIBM Sterling B2B Integrator versions 6.1.2.x ant\u00e9rieures \u00e0 6.1.2.3\u003c/li\u003e \u003cli\u003eIBM Sterling B2B Integrator versions 6.1.2.x ant\u00e9rieures \u00e0 6.2.0.0\u003c/li\u003e \u003cli\u003eIBM AIX version 7.3\u003c/li\u003e \u003cli\u003eIBM AIX version 7.2\u003c/li\u003e \u003cli\u003eIBM VIOS version 4.1\u003c/li\u003e \u003cli\u003eIBM VIOS version 3.1\u003c/li\u003e \u003c/ul\u003e \u003cp\u003eSe r\u00e9f\u00e9rer aux bulletin de l\u0027\u00e9diteur pour les versions des fichiers vuln\u00e9rables (cf. section Documentation).\u003c/p\u003e ",
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2023-37920",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-37920"
    },
    {
      "name": "CVE-2023-1436",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-1436"
    },
    {
      "name": "CVE-2023-44487",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-44487"
    },
    {
      "name": "CVE-2023-26049",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-26049"
    },
    {
      "name": "CVE-2023-34040",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-34040"
    },
    {
      "name": "CVE-2022-40149",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-40149"
    },
    {
      "name": "CVE-2023-42795",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-42795"
    },
    {
      "name": "CVE-2022-40150",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-40150"
    },
    {
      "name": "CVE-2023-36478",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-36478"
    },
    {
      "name": "CVE-2023-45648",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-45648"
    },
    {
      "name": "CVE-2023-40787",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-40787"
    },
    {
      "name": "CVE-2022-45693",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-45693"
    },
    {
      "name": "CVE-2023-3341",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-3341"
    },
    {
      "name": "CVE-2023-43804",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-43804"
    },
    {
      "name": "CVE-2023-40167",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-40167"
    },
    {
      "name": "CVE-2023-22045",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-22045"
    },
    {
      "name": "CVE-2023-22049",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-22049"
    },
    {
      "name": "CVE-2023-36479",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-36479"
    },
    {
      "name": "CVE-2022-45685",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-45685"
    },
    {
      "name": "CVE-2023-41835",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-41835"
    },
    {
      "name": "CVE-2023-46604",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-46604"
    },
    {
      "name": "CVE-2023-35001",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-35001"
    },
    {
      "name": "CVE-2023-41080",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-41080"
    },
    {
      "name": "CVE-2023-46589",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-46589"
    },
    {
      "name": "CVE-2023-47146",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-47146"
    },
    {
      "name": "CVE-2023-32233",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-32233"
    }
  ],
  "links": [],
  "reference": "CERTFR-2023-AVI-1055",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2023-12-22T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    },
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans \u003cspan\nclass=\"textit\"\u003eles produits IBM\u003c/span\u003e. Certaines d\u0027entre elles\npermettent \u00e0 un attaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9\ndes donn\u00e9es, une ex\u00e9cution de code arbitraire \u00e0 distance,\u00a0un d\u00e9ni de\nservice \u00e0 distance et une \u00e9l\u00e9vation de privil\u00e8ges.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7099297 du 18 d\u00e9cembre 2023",
      "url": "https://www.ibm.com/support/pages/node/7099862"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7101062 du 21 d\u00e9cembre 2023",
      "url": null
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7099862 du 19 d\u00e9cembre 2023",
      "url": "https://www.ibm.com/support/pages/node/7101062"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7099313 du 18 d\u00e9cembre 2023",
      "url": "https://www.ibm.com/support/pages/node/7099313"
    }
  ]
}

CERTFR-2023-AVI-1062

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans Juniper Secure Analytics. Certaines d'entre elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur, une exécution de code arbitraire à distance et un déni de service à distance.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	Juniper Networks	Secure Analytics	Juniper Secure Analytics versions antérieures à 7.5.0 UP7 IF03

References

Title

Publication Time

Tags

Bulletin de sécurité Juniper JSA75636 du 28 décembre 2023

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Juniper Secure Analytics versions ant\u00e9rieures \u00e0 7.5.0 UP7 IF03",
      "product": {
        "name": "Secure Analytics",
        "vendor": {
          "name": "Juniper Networks",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2023-44487",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-44487"
    },
    {
      "name": "CVE-2023-26049",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-26049"
    },
    {
      "name": "CVE-2023-34040",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-34040"
    },
    {
      "name": "CVE-2023-42795",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-42795"
    },
    {
      "name": "CVE-2023-36478",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-36478"
    },
    {
      "name": "CVE-2023-45648",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-45648"
    },
    {
      "name": "CVE-2023-40787",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-40787"
    },
    {
      "name": "CVE-2023-40167",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-40167"
    },
    {
      "name": "CVE-2023-22045",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-22045"
    },
    {
      "name": "CVE-2023-22049",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-22049"
    },
    {
      "name": "CVE-2023-36479",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-36479"
    },
    {
      "name": "CVE-2023-41835",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-41835"
    },
    {
      "name": "CVE-2023-46604",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-46604"
    },
    {
      "name": "CVE-2023-35001",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-35001"
    },
    {
      "name": "CVE-2023-41080",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-41080"
    },
    {
      "name": "CVE-2023-46589",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-46589"
    },
    {
      "name": "CVE-2023-47146",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-47146"
    },
    {
      "name": "CVE-2023-32233",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-32233"
    }
  ],
  "links": [],
  "reference": "CERTFR-2023-AVI-1062",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2023-12-29T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Juniper Secure\nAnalytics. Certaines d\u0027entre elles permettent \u00e0 un attaquant de\nprovoquer un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur, une\nex\u00e9cution de code arbitraire \u00e0 distance et un d\u00e9ni de service \u00e0\ndistance.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Juniper Secure Analytics",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA75636 du 28 d\u00e9cembre 2023",
      "url": "https://supportportal.juniper.net/s/article/2023-12-Security-Bulletin-JSA-Series-Multiple-vulnerabilities-resolved"
    }
  ]
}

CERTFR-2023-AVI-0750

Vulnerability from certfr_avis - Published: - Updated:

Une vulnérabilité a été découverte dans Apache Struts. Elle permet à un attaquant de provoquer un déni de service à distance.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Apache	Struts	Struts versions antérieures à 6.1.2.2
Apache	Struts	Struts versions antérieures à 2.5.32
Apache	Struts	Struts versions antérieures à 6.3.0.1

References

Title

Publication Time

Tags

Bulletin de sécurité Struts s2-065 du 13 septembre 2023

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Struts versions ant\u00e9rieures \u00e0 6.1.2.2",
      "product": {
        "name": "Struts",
        "vendor": {
          "name": "Apache",
          "scada": false
        }
      }
    },
    {
      "description": "Struts versions ant\u00e9rieures \u00e0 2.5.32",
      "product": {
        "name": "Struts",
        "vendor": {
          "name": "Apache",
          "scada": false
        }
      }
    },
    {
      "description": "Struts versions ant\u00e9rieures \u00e0 6.3.0.1",
      "product": {
        "name": "Struts",
        "vendor": {
          "name": "Apache",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2023-41835",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-41835"
    }
  ],
  "links": [],
  "reference": "CERTFR-2023-AVI-0750",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2023-09-14T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Apache\u003cspan class=\"textit\"\u003e\nStruts\u003c/span\u003e. Elle permet \u00e0 un attaquant de provoquer un d\u00e9ni de\nservice \u00e0 distance.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans Apache Struts",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Struts s2-065 du 13 septembre 2023",
      "url": "https://cwiki.apache.org/confluence/display/WW/s2-065"
    }
  ]
}

CERTFR-2023-AVI-1062

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	Juniper Networks	Secure Analytics	Juniper Secure Analytics versions antérieures à 7.5.0 UP7 IF03

References

Title

Publication Time

Tags

Bulletin de sécurité Juniper JSA75636 du 28 décembre 2023

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Juniper Secure Analytics versions ant\u00e9rieures \u00e0 7.5.0 UP7 IF03",
      "product": {
        "name": "Secure Analytics",
        "vendor": {
          "name": "Juniper Networks",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2023-44487",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-44487"
    },
    {
      "name": "CVE-2023-26049",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-26049"
    },
    {
      "name": "CVE-2023-34040",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-34040"
    },
    {
      "name": "CVE-2023-42795",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-42795"
    },
    {
      "name": "CVE-2023-36478",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-36478"
    },
    {
      "name": "CVE-2023-45648",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-45648"
    },
    {
      "name": "CVE-2023-40787",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-40787"
    },
    {
      "name": "CVE-2023-40167",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-40167"
    },
    {
      "name": "CVE-2023-22045",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-22045"
    },
    {
      "name": "CVE-2023-22049",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-22049"
    },
    {
      "name": "CVE-2023-36479",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-36479"
    },
    {
      "name": "CVE-2023-41835",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-41835"
    },
    {
      "name": "CVE-2023-46604",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-46604"
    },
    {
      "name": "CVE-2023-35001",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-35001"
    },
    {
      "name": "CVE-2023-41080",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-41080"
    },
    {
      "name": "CVE-2023-46589",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-46589"
    },
    {
      "name": "CVE-2023-47146",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-47146"
    },
    {
      "name": "CVE-2023-32233",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-32233"
    }
  ],
  "links": [],
  "reference": "CERTFR-2023-AVI-1062",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2023-12-29T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Juniper Secure\nAnalytics. Certaines d\u0027entre elles permettent \u00e0 un attaquant de\nprovoquer un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur, une\nex\u00e9cution de code arbitraire \u00e0 distance et un d\u00e9ni de service \u00e0\ndistance.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Juniper Secure Analytics",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA75636 du 28 d\u00e9cembre 2023",
      "url": "https://supportportal.juniper.net/s/article/2023-12-Security-Bulletin-JSA-Series-Multiple-vulnerabilities-resolved"
    }
  ]
}

CERTFR-2023-AVI-1055

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

IBM QRadar SIEM versions 7.5.x antérieures à 7.5.0 UP7 IF03
IBM Sterling B2B Integrator versions 6.0.0.x antérieures à 6.0.3.9
IBM Sterling B2B Integrator versions 6.1.0.x antérieures à 6.1.0.8
IBM Sterling B2B Integrator versions 6.1.1.x antérieures à 6.1.1.4
IBM Sterling B2B Integrator versions 6.1.2.x antérieures à 6.1.2.3
IBM Sterling B2B Integrator versions 6.1.2.x antérieures à 6.2.0.0
IBM AIX version 7.3
IBM AIX version 7.2
IBM VIOS version 4.1
IBM VIOS version 3.1

Se référer aux bulletin de l'éditeur pour les versions des fichiers vulnérables (cf. section Documentation).

Impacted products

	Vendor	Product	Description

References

Title

Publication Time

Tags

Bulletin de sécurité IBM 7099297 du 18 décembre 2023	None	vendor-advisory
Bulletin de sécurité IBM 7101062 du 21 décembre 2023	None	vendor-advisory
Bulletin de sécurité IBM 7099862 du 19 décembre 2023	None	vendor-advisory
Bulletin de sécurité IBM 7099313 du 18 décembre 2023	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [],
  "affected_systems_content": "\u003cul\u003e \u003cli\u003eIBM QRadar SIEM versions 7.5.x ant\u00e9rieures \u00e0 7.5.0 UP7 IF03\u003c/li\u003e \u003cli\u003eIBM Sterling B2B Integrator versions 6.0.0.x ant\u00e9rieures \u00e0 6.0.3.9\u003c/li\u003e \u003cli\u003eIBM Sterling B2B Integrator versions 6.1.0.x ant\u00e9rieures \u00e0 6.1.0.8\u003c/li\u003e \u003cli\u003eIBM Sterling B2B Integrator versions 6.1.1.x ant\u00e9rieures \u00e0 6.1.1.4\u003c/li\u003e \u003cli\u003eIBM Sterling B2B Integrator versions 6.1.2.x ant\u00e9rieures \u00e0 6.1.2.3\u003c/li\u003e \u003cli\u003eIBM Sterling B2B Integrator versions 6.1.2.x ant\u00e9rieures \u00e0 6.2.0.0\u003c/li\u003e \u003cli\u003eIBM AIX version 7.3\u003c/li\u003e \u003cli\u003eIBM AIX version 7.2\u003c/li\u003e \u003cli\u003eIBM VIOS version 4.1\u003c/li\u003e \u003cli\u003eIBM VIOS version 3.1\u003c/li\u003e \u003c/ul\u003e \u003cp\u003eSe r\u00e9f\u00e9rer aux bulletin de l\u0027\u00e9diteur pour les versions des fichiers vuln\u00e9rables (cf. section Documentation).\u003c/p\u003e ",
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2023-37920",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-37920"
    },
    {
      "name": "CVE-2023-1436",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-1436"
    },
    {
      "name": "CVE-2023-44487",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-44487"
    },
    {
      "name": "CVE-2023-26049",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-26049"
    },
    {
      "name": "CVE-2023-34040",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-34040"
    },
    {
      "name": "CVE-2022-40149",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-40149"
    },
    {
      "name": "CVE-2023-42795",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-42795"
    },
    {
      "name": "CVE-2022-40150",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-40150"
    },
    {
      "name": "CVE-2023-36478",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-36478"
    },
    {
      "name": "CVE-2023-45648",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-45648"
    },
    {
      "name": "CVE-2023-40787",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-40787"
    },
    {
      "name": "CVE-2022-45693",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-45693"
    },
    {
      "name": "CVE-2023-3341",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-3341"
    },
    {
      "name": "CVE-2023-43804",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-43804"
    },
    {
      "name": "CVE-2023-40167",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-40167"
    },
    {
      "name": "CVE-2023-22045",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-22045"
    },
    {
      "name": "CVE-2023-22049",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-22049"
    },
    {
      "name": "CVE-2023-36479",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-36479"
    },
    {
      "name": "CVE-2022-45685",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-45685"
    },
    {
      "name": "CVE-2023-41835",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-41835"
    },
    {
      "name": "CVE-2023-46604",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-46604"
    },
    {
      "name": "CVE-2023-35001",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-35001"
    },
    {
      "name": "CVE-2023-41080",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-41080"
    },
    {
      "name": "CVE-2023-46589",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-46589"
    },
    {
      "name": "CVE-2023-47146",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-47146"
    },
    {
      "name": "CVE-2023-32233",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-32233"
    }
  ],
  "links": [],
  "reference": "CERTFR-2023-AVI-1055",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2023-12-22T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    },
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans \u003cspan\nclass=\"textit\"\u003eles produits IBM\u003c/span\u003e. Certaines d\u0027entre elles\npermettent \u00e0 un attaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9\ndes donn\u00e9es, une ex\u00e9cution de code arbitraire \u00e0 distance,\u00a0un d\u00e9ni de\nservice \u00e0 distance et une \u00e9l\u00e9vation de privil\u00e8ges.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7099297 du 18 d\u00e9cembre 2023",
      "url": "https://www.ibm.com/support/pages/node/7099862"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7101062 du 21 d\u00e9cembre 2023",
      "url": null
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7099862 du 19 d\u00e9cembre 2023",
      "url": "https://www.ibm.com/support/pages/node/7101062"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7099313 du 18 d\u00e9cembre 2023",
      "url": "https://www.ibm.com/support/pages/node/7099313"
    }
  ]
}

CERTFR-2023-AVI-0750

Vulnerability from certfr_avis - Published: - Updated:

Une vulnérabilité a été découverte dans Apache Struts. Elle permet à un attaquant de provoquer un déni de service à distance.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Apache	Struts	Struts versions antérieures à 6.1.2.2
Apache	Struts	Struts versions antérieures à 2.5.32
Apache	Struts	Struts versions antérieures à 6.3.0.1

References

Title

Publication Time

Tags

Bulletin de sécurité Struts s2-065 du 13 septembre 2023

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Struts versions ant\u00e9rieures \u00e0 6.1.2.2",
      "product": {
        "name": "Struts",
        "vendor": {
          "name": "Apache",
          "scada": false
        }
      }
    },
    {
      "description": "Struts versions ant\u00e9rieures \u00e0 2.5.32",
      "product": {
        "name": "Struts",
        "vendor": {
          "name": "Apache",
          "scada": false
        }
      }
    },
    {
      "description": "Struts versions ant\u00e9rieures \u00e0 6.3.0.1",
      "product": {
        "name": "Struts",
        "vendor": {
          "name": "Apache",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2023-41835",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-41835"
    }
  ],
  "links": [],
  "reference": "CERTFR-2023-AVI-0750",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2023-09-14T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Apache\u003cspan class=\"textit\"\u003e\nStruts\u003c/span\u003e. Elle permet \u00e0 un attaquant de provoquer un d\u00e9ni de\nservice \u00e0 distance.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans Apache Struts",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Struts s2-065 du 13 septembre 2023",
      "url": "https://cwiki.apache.org/confluence/display/WW/s2-065"
    }
  ]
}

NCSC-2024-0231

Vulnerability from csaf_ncscnl - Published: 2024-05-22 11:13 - Updated: 2024-05-22 11:13

Summary

Kwetsbaarheden verholpen in Atlassian producten

Notes

The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions: NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein. NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory. This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.

Feiten

Atlassian heeft kwetsbaarheden verholpen in diverse producten, zoals Jira, Confluence en Bitbucket.

Interpretaties

Een kwaadwillende kan de kwetsbaarheden misbruiken om aanvallen uit te voeren die kunnen leiden tot de volgende categorieën schade: - Cross-Site Request Forgery (XSRF) - Denial-of-Service (DoS) - Omzeilen van authenticatie - (Remote) code execution (Administrator/Root rechten) - (Remote) code execution (Gebruikersrechten) - SQL Injection - Toegang tot systeemgegevens

Oplossingen

Atlassian heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie: https://confluence.atlassian.com/security/security-bulletin-may-21-2024-1387867145.html

Kans

medium

Schade

high

CWE-284

Improper Access Control

CWE-20

Improper Input Validation

CWE-281

Improper Preservation of Permissions

CWE-400

Uncontrolled Resource Consumption

CWE-404

Improper Resource Shutdown or Release

CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

CWE-459

Incomplete Cleanup

CWE-502

Deserialization of Untrusted Data

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

CWE-770

Allocation of Resources Without Limits or Throttling

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE-913

Improper Control of Dynamically-Managed Code Resources

CWE-96

Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')

JSON

To clipboard

{
  "document": {
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "nl",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n    NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n    NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n    This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
      },
      {
        "category": "description",
        "text": "Atlassian heeft kwetsbaarheden verholpen in diverse producten, zoals Jira, Confluence en Bitbucket.",
        "title": "Feiten"
      },
      {
        "category": "description",
        "text": "Een kwaadwillende kan de kwetsbaarheden misbruiken om aanvallen uit te voeren die kunnen leiden tot de volgende categorie\u00ebn schade:\n\n- Cross-Site Request Forgery (XSRF)\n- Denial-of-Service (DoS)\n- Omzeilen van authenticatie\n- (Remote) code execution (Administrator/Root rechten)\n- (Remote) code execution (Gebruikersrechten)\n- SQL Injection\n- Toegang tot systeemgegevens\n",
        "title": "Interpretaties"
      },
      {
        "category": "description",
        "text": "Atlassian heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie:\n\nhttps://confluence.atlassian.com/security/security-bulletin-may-21-2024-1387867145.html",
        "title": "Oplossingen"
      },
      {
        "category": "general",
        "text": "medium",
        "title": "Kans"
      },
      {
        "category": "general",
        "text": "high",
        "title": "Schade"
      },
      {
        "category": "general",
        "text": "Improper Access Control",
        "title": "CWE-284"
      },
      {
        "category": "general",
        "text": "Improper Input Validation",
        "title": "CWE-20"
      },
      {
        "category": "general",
        "text": "Improper Preservation of Permissions",
        "title": "CWE-281"
      },
      {
        "category": "general",
        "text": "Uncontrolled Resource Consumption",
        "title": "CWE-400"
      },
      {
        "category": "general",
        "text": "Improper Resource Shutdown or Release",
        "title": "CWE-404"
      },
      {
        "category": "general",
        "text": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
        "title": "CWE-444"
      },
      {
        "category": "general",
        "text": "Incomplete Cleanup",
        "title": "CWE-459"
      },
      {
        "category": "general",
        "text": "Deserialization of Untrusted Data",
        "title": "CWE-502"
      },
      {
        "category": "general",
        "text": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
        "title": "CWE-601"
      },
      {
        "category": "general",
        "text": "Allocation of Resources Without Limits or Throttling",
        "title": "CWE-770"
      },
      {
        "category": "general",
        "text": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
        "title": "CWE-89"
      },
      {
        "category": "general",
        "text": "Improper Control of Dynamically-Managed Code Resources",
        "title": "CWE-913"
      },
      {
        "category": "general",
        "text": "Improper Neutralization of Directives in Statically Saved Code (\u0027Static Code Injection\u0027)",
        "title": "CWE-96"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "cert@ncsc.nl",
      "name": "Nationaal Cyber Security Centrum",
      "namespace": "https://www.ncsc.nl/"
    },
    "references": [
      {
        "category": "external",
        "summary": "Reference - cveprojectv5; nvd",
        "url": "https://confluence.atlassian.com/pages/viewpage.action?pageId=1387867145"
      }
    ],
    "title": "Kwetsbaarheden verholpen in Atlassian producten",
    "tracking": {
      "current_release_date": "2024-05-22T11:13:07.693855Z",
      "id": "NCSC-2024-0231",
      "initial_release_date": "2024-05-22T11:13:07.693855Z",
      "revision_history": [
        {
          "date": "2024-05-22T11:13:07.693855Z",
          "number": "0",
          "summary": "Initiele versie"
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "bamboo",
            "product": {
              "name": "bamboo",
              "product_id": "CSAFPID-716889",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:atlassian:bamboo:*:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "bitbucket",
            "product": {
              "name": "bitbucket",
              "product_id": "CSAFPID-344199",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:atlassian:bitbucket:*:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "confluence",
            "product": {
              "name": "confluence",
              "product_id": "CSAFPID-551338",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:atlassian:confluence:*:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "crowd",
            "product": {
              "name": "crowd",
              "product_id": "CSAFPID-344399",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:atlassian:crowd:*:*:*:*:*:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "jira_service_management",
            "product": {
              "name": "jira_service_management",
              "product_id": "CSAFPID-343852",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:data_center:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "jira_service_management",
            "product": {
              "name": "jira_service_management",
              "product_id": "CSAFPID-343851",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:atlassian:jira_service_management:*:*:*:*:server:*:*:*"
              }
            }
          },
          {
            "category": "product_name",
            "name": "jira",
            "product": {
              "name": "jira",
              "product_id": "CSAFPID-98204",
              "product_identification_helper": {
                "cpe": "cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "atlassian"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2017-7656",
      "cwe": {
        "id": "CWE-444",
        "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)",
          "title": "CWE-444"
        }
      ],
      "references": [
        {
          "category": "self",
          "summary": "CVE-2017-7656",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2017/CVE-2017-7656.json"
        }
      ],
      "title": "CVE-2017-7656"
    },
    {
      "cve": "CVE-2017-9735",
      "references": [
        {
          "category": "self",
          "summary": "CVE-2017-9735",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2017/CVE-2017-9735.json"
        }
      ],
      "title": "CVE-2017-9735"
    },
    {
      "cve": "CVE-2020-10672",
      "cwe": {
        "id": "CWE-96",
        "name": "Improper Neutralization of Directives in Statically Saved Code (\u0027Static Code Injection\u0027)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Neutralization of Directives in Statically Saved Code (\u0027Static Code Injection\u0027)",
          "title": "CWE-96"
        }
      ],
      "references": [
        {
          "category": "self",
          "summary": "CVE-2020-10672",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2020/CVE-2020-10672.json"
        }
      ],
      "title": "CVE-2020-10672"
    },
    {
      "cve": "CVE-2020-10673",
      "cwe": {
        "id": "CWE-96",
        "name": "Improper Neutralization of Directives in Statically Saved Code (\u0027Static Code Injection\u0027)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Neutralization of Directives in Statically Saved Code (\u0027Static Code Injection\u0027)",
          "title": "CWE-96"
        }
      ],
      "references": [
        {
          "category": "self",
          "summary": "CVE-2020-10673",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2020/CVE-2020-10673.json"
        }
      ],
      "title": "CVE-2020-10673"
    },
    {
      "cve": "CVE-2020-10968",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "notes": [
        {
          "category": "other",
          "text": "Deserialization of Untrusted Data",
          "title": "CWE-502"
        }
      ],
      "references": [
        {
          "category": "self",
          "summary": "CVE-2020-10968",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2020/CVE-2020-10968.json"
        }
      ],
      "title": "CVE-2020-10968"
    },
    {
      "cve": "CVE-2020-10969",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "notes": [
        {
          "category": "other",
          "text": "Deserialization of Untrusted Data",
          "title": "CWE-502"
        }
      ],
      "references": [
        {
          "category": "self",
          "summary": "CVE-2020-10969",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2020/CVE-2020-10969.json"
        }
      ],
      "title": "CVE-2020-10969"
    },
    {
      "cve": "CVE-2020-11111",
      "cwe": {
        "id": "CWE-96",
        "name": "Improper Neutralization of Directives in Statically Saved Code (\u0027Static Code Injection\u0027)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Neutralization of Directives in Statically Saved Code (\u0027Static Code Injection\u0027)",
          "title": "CWE-96"
        }
      ],
      "references": [
        {
          "category": "self",
          "summary": "CVE-2020-11111",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2020/CVE-2020-11111.json"
        }
      ],
      "title": "CVE-2020-11111"
    },
    {
      "cve": "CVE-2020-11112",
      "cwe": {
        "id": "CWE-96",
        "name": "Improper Neutralization of Directives in Statically Saved Code (\u0027Static Code Injection\u0027)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Neutralization of Directives in Statically Saved Code (\u0027Static Code Injection\u0027)",
          "title": "CWE-96"
        }
      ],
      "references": [
        {
          "category": "self",
          "summary": "CVE-2020-11112",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2020/CVE-2020-11112.json"
        }
      ],
      "title": "CVE-2020-11112"
    },
    {
      "cve": "CVE-2020-11113",
      "cwe": {
        "id": "CWE-96",
        "name": "Improper Neutralization of Directives in Statically Saved Code (\u0027Static Code Injection\u0027)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Neutralization of Directives in Statically Saved Code (\u0027Static Code Injection\u0027)",
          "title": "CWE-96"
        }
      ],
      "references": [
        {
          "category": "self",
          "summary": "CVE-2020-11113",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2020/CVE-2020-11113.json"
        }
      ],
      "title": "CVE-2020-11113"
    },
    {
      "cve": "CVE-2020-24616",
      "references": [
        {
          "category": "self",
          "summary": "CVE-2020-24616",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2020/CVE-2020-24616.json"
        }
      ],
      "title": "CVE-2020-24616"
    },
    {
      "cve": "CVE-2020-35728",
      "cwe": {
        "id": "CWE-96",
        "name": "Improper Neutralization of Directives in Statically Saved Code (\u0027Static Code Injection\u0027)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Neutralization of Directives in Statically Saved Code (\u0027Static Code Injection\u0027)",
          "title": "CWE-96"
        }
      ],
      "references": [
        {
          "category": "self",
          "summary": "CVE-2020-35728",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2020/CVE-2020-35728.json"
        }
      ],
      "title": "CVE-2020-35728"
    },
    {
      "cve": "CVE-2020-36179",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "notes": [
        {
          "category": "other",
          "text": "Deserialization of Untrusted Data",
          "title": "CWE-502"
        }
      ],
      "references": [
        {
          "category": "self",
          "summary": "CVE-2020-36179",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2020/CVE-2020-36179.json"
        }
      ],
      "title": "CVE-2020-36179"
    },
    {
      "cve": "CVE-2020-36180",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "notes": [
        {
          "category": "other",
          "text": "Deserialization of Untrusted Data",
          "title": "CWE-502"
        }
      ],
      "references": [
        {
          "category": "self",
          "summary": "CVE-2020-36180",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2020/CVE-2020-36180.json"
        }
      ],
      "title": "CVE-2020-36180"
    },
    {
      "cve": "CVE-2020-36181",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "notes": [
        {
          "category": "other",
          "text": "Deserialization of Untrusted Data",
          "title": "CWE-502"
        }
      ],
      "references": [
        {
          "category": "self",
          "summary": "CVE-2020-36181",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2020/CVE-2020-36181.json"
        }
      ],
      "title": "CVE-2020-36181"
    },
    {
      "cve": "CVE-2020-36182",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "notes": [
        {
          "category": "other",
          "text": "Deserialization of Untrusted Data",
          "title": "CWE-502"
        }
      ],
      "references": [
        {
          "category": "self",
          "summary": "CVE-2020-36182",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2020/CVE-2020-36182.json"
        }
      ],
      "title": "CVE-2020-36182"
    },
    {
      "cve": "CVE-2020-36184",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "notes": [
        {
          "category": "other",
          "text": "Deserialization of Untrusted Data",
          "title": "CWE-502"
        }
      ],
      "references": [
        {
          "category": "self",
          "summary": "CVE-2020-36184",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2020/CVE-2020-36184.json"
        }
      ],
      "title": "CVE-2020-36184"
    },
    {
      "cve": "CVE-2020-36188",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "notes": [
        {
          "category": "other",
          "text": "Deserialization of Untrusted Data",
          "title": "CWE-502"
        }
      ],
      "references": [
        {
          "category": "self",
          "summary": "CVE-2020-36188",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2020/CVE-2020-36188.json"
        }
      ],
      "title": "CVE-2020-36188"
    },
    {
      "cve": "CVE-2021-28165",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "notes": [
        {
          "category": "other",
          "text": "Uncontrolled Resource Consumption",
          "title": "CWE-400"
        }
      ],
      "references": [
        {
          "category": "self",
          "summary": "CVE-2021-28165",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2021/CVE-2021-28165.json"
        }
      ],
      "title": "CVE-2021-28165"
    },
    {
      "cve": "CVE-2022-25647",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "notes": [
        {
          "category": "other",
          "text": "Deserialization of Untrusted Data",
          "title": "CWE-502"
        }
      ],
      "references": [
        {
          "category": "self",
          "summary": "CVE-2022-25647",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2022/CVE-2022-25647.json"
        }
      ],
      "title": "CVE-2022-25647"
    },
    {
      "cve": "CVE-2022-41966",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "notes": [
        {
          "category": "other",
          "text": "Deserialization of Untrusted Data",
          "title": "CWE-502"
        },
        {
          "category": "other",
          "text": "Improper Resource Shutdown or Release",
          "title": "CWE-404"
        }
      ],
      "references": [
        {
          "category": "self",
          "summary": "CVE-2022-41966",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2022/CVE-2022-41966.json"
        }
      ],
      "title": "CVE-2022-41966"
    },
    {
      "cve": "CVE-2022-42003",
      "cwe": {
        "id": "CWE-404",
        "name": "Improper Resource Shutdown or Release"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Resource Shutdown or Release",
          "title": "CWE-404"
        },
        {
          "category": "other",
          "text": "Deserialization of Untrusted Data",
          "title": "CWE-502"
        }
      ],
      "references": [
        {
          "category": "self",
          "summary": "CVE-2022-42003",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2022/CVE-2022-42003.json"
        }
      ],
      "title": "CVE-2022-42003"
    },
    {
      "cve": "CVE-2023-4759",
      "references": [
        {
          "category": "self",
          "summary": "CVE-2023-4759",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-4759.json"
        }
      ],
      "title": "CVE-2023-4759"
    },
    {
      "cve": "CVE-2023-34396",
      "references": [
        {
          "category": "self",
          "summary": "CVE-2023-34396",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-34396.json"
        }
      ],
      "title": "CVE-2023-34396"
    },
    {
      "cve": "CVE-2023-41835",
      "cwe": {
        "id": "CWE-913",
        "name": "Improper Control of Dynamically-Managed Code Resources"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Control of Dynamically-Managed Code Resources",
          "title": "CWE-913"
        }
      ],
      "references": [
        {
          "category": "self",
          "summary": "CVE-2023-41835",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-41835.json"
        }
      ],
      "title": "CVE-2023-41835"
    },
    {
      "cve": "CVE-2023-45859",
      "cwe": {
        "id": "CWE-281",
        "name": "Improper Preservation of Permissions"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Preservation of Permissions",
          "title": "CWE-281"
        }
      ],
      "references": [
        {
          "category": "self",
          "summary": "CVE-2023-45859",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2023/CVE-2023-45859.json"
        }
      ],
      "title": "CVE-2023-45859"
    },
    {
      "cve": "CVE-2024-1597",
      "cwe": {
        "id": "CWE-89",
        "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
          "title": "CWE-89"
        }
      ],
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-1597",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-1597.json"
        }
      ],
      "title": "CVE-2024-1597"
    },
    {
      "cve": "CVE-2024-21634",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "notes": [
        {
          "category": "other",
          "text": "Allocation of Resources Without Limits or Throttling",
          "title": "CWE-770"
        }
      ],
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-21634",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-21634.json"
        }
      ],
      "title": "CVE-2024-21634"
    },
    {
      "cve": "CVE-2024-21683",
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-21683",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-21683.json"
        }
      ],
      "title": "CVE-2024-21683"
    },
    {
      "cve": "CVE-2024-22257",
      "cwe": {
        "id": "CWE-284",
        "name": "Improper Access Control"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Access Control",
          "title": "CWE-284"
        }
      ],
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-22257",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-22257.json"
        }
      ],
      "title": "CVE-2024-22257"
    },
    {
      "cve": "CVE-2024-22262",
      "cwe": {
        "id": "CWE-601",
        "name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
      },
      "notes": [
        {
          "category": "other",
          "text": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
          "title": "CWE-601"
        }
      ],
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-22262",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-22262.json"
        }
      ],
      "title": "CVE-2024-22262"
    },
    {
      "cve": "CVE-2024-23672",
      "cwe": {
        "id": "CWE-459",
        "name": "Incomplete Cleanup"
      },
      "notes": [
        {
          "category": "other",
          "text": "Incomplete Cleanup",
          "title": "CWE-459"
        }
      ],
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-23672",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-23672.json"
        }
      ],
      "title": "CVE-2024-23672"
    },
    {
      "cve": "CVE-2024-24549",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "notes": [
        {
          "category": "other",
          "text": "Improper Input Validation",
          "title": "CWE-20"
        }
      ],
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-24549",
          "url": "https://api.ncsc.nl/velma/v1/vulnerabilities/2024/CVE-2024-24549.json"
        }
      ],
      "title": "CVE-2024-24549"
    }
  ]
}

WID-SEC-W-2023-2346

Vulnerability from csaf_certbund - Published: 2023-09-13 22:00 - Updated: 2024-09-02 22:00

Summary

Apache Struts: Schwachstelle ermöglicht Denial of Service

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Struts ist ein Framework für Java-Anwendungen auf dem Webserver Apache.

Angriff

Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Apache Struts ausnutzen, um einen Denial of Service Angriff durchzuführen.

Betroffene Betriebssysteme

- Linux - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Struts ist ein Framework f\u00fcr Java-Anwendungen auf dem Webserver Apache.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Apache Struts ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2023-2346 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-2346.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2023-2346 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-2346"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7095695 vom 2023-12-12",
        "url": "https://www.ibm.com/support/pages/node/7095695"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7099297 vom 2023-12-18",
        "url": "https://www.ibm.com/support/pages/node/7099297"
      },
      {
        "category": "external",
        "summary": "Apache Struts Security Bulletin vom 2023-09-13",
        "url": "https://cwiki.apache.org/confluence/display/WW/S2-065"
      },
      {
        "category": "external",
        "summary": "Atlassian Security Bulletin Februar 2024",
        "url": "https://confluence.atlassian.com/security/security-bulletin-february-20-2024-1354501606.html"
      },
      {
        "category": "external",
        "summary": "Atlassian Security Advisory CONFSERVER-93825 vom 2024-01-03",
        "url": "https://jira.atlassian.com/browse/CONFSERVER-93825"
      },
      {
        "category": "external",
        "summary": "Atlassian Security Advisory CONFSERVER-93827 vom 2024-01-03",
        "url": "https://jira.atlassian.com/browse/CONFSERVER-93827"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7085934 vom 2023-11-30",
        "url": "https://www.ibm.com/support/pages/node/7085934"
      },
      {
        "category": "external",
        "summary": "Atlassian Security Advisory CONFSERVER-94106 vom 2024-05-28",
        "url": "http://jira.atlassian.com/browse/CONFSERVER-94106"
      },
      {
        "category": "external",
        "summary": "Dell Security Advisory DSA-2024-280 vom 2024-06-26",
        "url": "https://www.dell.com/support/kbdoc/de-de/000226407/dsa-2024-280-security-update-for-dell-avamar-and-dell-avamar-virtual-edition-multiple-security-vulnerabilities"
      },
      {
        "category": "external",
        "summary": "HCL Article KB0109323 vom 2024-09-03",
        "url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0109323"
      }
    ],
    "source_lang": "en-US",
    "title": "Apache Struts: Schwachstelle erm\u00f6glicht Denial of Service",
    "tracking": {
      "current_release_date": "2024-09-02T22:00:00.000+00:00",
      "generator": {
        "date": "2024-09-03T08:15:06.036+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.6"
        }
      },
      "id": "WID-SEC-W-2023-2346",
      "initial_release_date": "2023-09-13T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2023-09-13T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2023-11-29T23:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2023-12-12T23:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2023-12-18T23:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2024-01-02T23:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von Atlassian aufgenommen"
        },
        {
          "date": "2024-02-20T23:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates aufgenommen"
        },
        {
          "date": "2024-05-27T22:00:00.000+00:00",
          "number": "7",
          "summary": "Neue Updates von Atlassian aufgenommen"
        },
        {
          "date": "2024-06-25T22:00:00.000+00:00",
          "number": "8",
          "summary": "Neue Updates von Dell aufgenommen"
        },
        {
          "date": "2024-09-02T22:00:00.000+00:00",
          "number": "9",
          "summary": "Neue Updates von HCL aufgenommen"
        }
      ],
      "status": "final",
      "version": "9"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c2.5.32",
                "product": {
                  "name": "Apache Struts \u003c2.5.32",
                  "product_id": "T029833"
                }
              },
              {
                "category": "product_version",
                "name": "2.5.32",
                "product": {
                  "name": "Apache Struts 2.5.32",
                  "product_id": "T029833-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:apache:struts:2.5.32"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c6.1.2.2",
                "product": {
                  "name": "Apache Struts \u003c6.1.2.2",
                  "product_id": "T029834"
                }
              },
              {
                "category": "product_version",
                "name": "6.1.2.2",
                "product": {
                  "name": "Apache Struts 6.1.2.2",
                  "product_id": "T029834-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:apache:struts:6.1.2.2"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c6.3.0.1",
                "product": {
                  "name": "Apache Struts \u003c6.3.0.1",
                  "product_id": "T029835"
                }
              },
              {
                "category": "product_version",
                "name": "6.3.0.1",
                "product": {
                  "name": "Apache Struts 6.3.0.1",
                  "product_id": "T029835-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:apache:struts:6.3.0.1"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Struts"
          }
        ],
        "category": "vendor",
        "name": "Apache"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "8.5",
                "product": {
                  "name": "Atlassian Confluence 8.5",
                  "product_id": "T031847",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:atlassian:confluence:8.5"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "8.7",
                "product": {
                  "name": "Atlassian Confluence 8.7",
                  "product_id": "T031848",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:atlassian:confluence:8.7"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c7.19.18",
                "product": {
                  "name": "Atlassian Confluence \u003c7.19.18",
                  "product_id": "T032051"
                }
              },
              {
                "category": "product_version",
                "name": "7.19.18",
                "product": {
                  "name": "Atlassian Confluence 7.19.18",
                  "product_id": "T032051-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:atlassian:confluence:7.19.18"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c8.5.5",
                "product": {
                  "name": "Atlassian Confluence \u003c8.5.5",
                  "product_id": "T032052"
                }
              },
              {
                "category": "product_version",
                "name": "8.5.5",
                "product": {
                  "name": "Atlassian Confluence 8.5.5",
                  "product_id": "T032052-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:atlassian:confluence:8.5.5"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c8.7.2",
                "product": {
                  "name": "Atlassian Confluence \u003c8.7.2",
                  "product_id": "T032053"
                }
              },
              {
                "category": "product_version",
                "name": "8.7.2",
                "product": {
                  "name": "Atlassian Confluence 8.7.2",
                  "product_id": "T032053-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:atlassian:confluence:8.7.2"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c8.8.0",
                "product": {
                  "name": "Atlassian Confluence \u003c8.8.0",
                  "product_id": "T033011"
                }
              },
              {
                "category": "product_version",
                "name": "8.8.0",
                "product": {
                  "name": "Atlassian Confluence 8.8.0",
                  "product_id": "T033011-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:atlassian:confluence:8.8.0"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Data Center \u003c8.8.0",
                "product": {
                  "name": "Atlassian Confluence Data Center \u003c8.8.0",
                  "product_id": "T033012"
                }
              },
              {
                "category": "product_version",
                "name": "Data Center 8.8.0",
                "product": {
                  "name": "Atlassian Confluence Data Center 8.8.0",
                  "product_id": "T033012-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:atlassian:confluence:data_center_8.8.0"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Server \u003c8.5.6 LTS",
                "product": {
                  "name": "Atlassian Confluence Server \u003c8.5.6 LTS",
                  "product_id": "T033019"
                }
              },
              {
                "category": "product_version",
                "name": "Server 8.5.6 LTS",
                "product": {
                  "name": "Atlassian Confluence Server 8.5.6 LTS",
                  "product_id": "T033019-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:atlassian:confluence:server_8.5.6_lts"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Confluence"
          }
        ],
        "category": "vendor",
        "name": "Atlassian"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "EMC Avamar",
            "product": {
              "name": "EMC Avamar",
              "product_id": "T014381",
              "product_identification_helper": {
                "cpe": "cpe:/a:emc:avamar:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "EMC"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c9.1.16",
                "product": {
                  "name": "HCL Commerce \u003c9.1.16",
                  "product_id": "T037230"
                }
              },
              {
                "category": "product_version",
                "name": "9.1.16",
                "product": {
                  "name": "HCL Commerce 9.1.16",
                  "product_id": "T037230-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:hcltechsw:commerce:9.1.16"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Commerce"
          }
        ],
        "category": "vendor",
        "name": "HCL"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "7.5",
                "product": {
                  "name": "IBM QRadar SIEM 7.5",
                  "product_id": "T022954",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:qradar_siem:7.5"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "QRadar SIEM"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "11.5",
                "product": {
                  "name": "IBM Security Guardium 11.5",
                  "product_id": "1411051",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:security_guardium:11.5"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Security Guardium"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "8.1.0",
                "product": {
                  "name": "IBM Tivoli Netcool/OMNIbus 8.1.0",
                  "product_id": "T031410",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:tivoli_netcool%2fomnibus:8.1.0"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Tivoli Netcool/OMNIbus"
          }
        ],
        "category": "vendor",
        "name": "IBM"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-41835",
      "notes": [
        {
          "category": "description",
          "text": "Es besteht eine Schwachstelle in Apache Struts. Dieser Fehler besteht im Prozess der Multipart-Anforderung, wenn die Felder die maxStringLength-Grenze \u00fcberschreiten, bleiben die Upload-Dateien in struts.multipart.saveDir. Ein entfernter Angreifer kann diese Schwachstelle ausnutzen, um einen Denial-of-Service-Zustand zu verursachen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T031410",
          "T033019",
          "T032052",
          "T032053",
          "T032051",
          "T033011",
          "T033012",
          "T022954",
          "T014381",
          "T037230",
          "T031847",
          "T029835",
          "T029834",
          "T029833",
          "T031848",
          "1411051"
        ]
      },
      "release_date": "2023-09-13T22:00:00.000+00:00",
      "title": "CVE-2023-41835"
    }
  ]
}

GHSA-729Q-FCGP-R5XH

Vulnerability from github – Published: 2023-12-05 09:33 – Updated: 2025-11-04 22:10

Summary

Apache Struts Improper Control of Dynamically-Managed Code Resources vulnerability

Details

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.struts:struts2-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.2.0"
            },
            {
              "fixed": "6.3.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.struts:struts2-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0"
            },
            {
              "fixed": "6.1.2.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.struts:struts2-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.32"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-41835"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-459"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-05T23:34:18Z",
    "nvd_published_at": "2023-12-05T09:15:07Z",
    "severity": "HIGH"
  },
  "details": "When a Multipart request is performed but some of the fields exceed the maxStringLength limit, the upload files will remain in struts.multipart.saveDir\u00a0even if the request has been denied.\nUsers are recommended to upgrade to versions Struts 2.5.32 or 6.1.2.2 or Struts 6.3.0.1 or greater, which fix this issue.",
  "id": "GHSA-729q-fcgp-r5xh",
  "modified": "2025-11-04T22:10:45Z",
  "published": "2023-12-05T09:33:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41835"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/struts/commit/3292152f8c0a77ee4827beede82b6580478a2c2a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/struts/commit/4c044f12560e22e00520595412830f9582d6dac7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/struts/commit/bf54436869c264941dd192c752a4abfaa65d3711"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/struts"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/6wj530kh3ono8phr642y9sqkl67ys2ft"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20231013-0001"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2023/12/09/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2023/12/09/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache Struts Improper Control of Dynamically-Managed Code Resources vulnerability"
}

GSD-2023-41835

Vulnerability from gsd - Updated: 2023-12-13 01:20

Details

Aliases

CVE-2023-41835

Aliases

CVE-2023-41835

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-41835",
    "id": "GSD-2023-41835"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-41835"
      ],
      "details": "When a Multipart request is performed but some of the fields exceed the maxStringLength\u00a0 limit, the upload files will remain in struts.multipart.saveDir\u00a0 even if the request has been denied.\nUsers are recommended to upgrade to versions Struts 2.5.32 or 6.1.2.2 or Struts 6.3.0.1 or greater, which fixe this issue.",
      "id": "GSD-2023-41835",
      "modified": "2023-12-13T01:20:45.425614Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@apache.org",
        "ID": "CVE-2023-41835",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Apache Struts",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c=",
                          "version_name": "2.0.0",
                          "version_value": "2.5.31"
                        },
                        {
                          "version_affected": "\u003c=",
                          "version_name": "6.1.2.1",
                          "version_value": "6.3.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Apache Software Foundation"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "When a Multipart request is performed but some of the fields exceed the maxStringLength\u00a0 limit, the upload files will remain in struts.multipart.saveDir\u00a0 even if the request has been denied.\nUsers are recommended to upgrade to versions Struts 2.5.32 or 6.1.2.2 or Struts 6.3.0.1 or greater, which fixe this issue."
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.1.0-dev"
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-459",
                "lang": "eng",
                "value": "CWE-459 Incomplete Cleanup"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://lists.apache.org/thread/6wj530kh3ono8phr642y9sqkl67ys2ft",
            "refsource": "MISC",
            "url": "https://lists.apache.org/thread/6wj530kh3ono8phr642y9sqkl67ys2ft"
          },
          {
            "name": "https://www.openwall.com/lists/oss-security/2023/12/09/1",
            "refsource": "MISC",
            "url": "https://www.openwall.com/lists/oss-security/2023/12/09/1"
          }
        ]
      },
      "source": {
        "discovery": "EXTERNAL"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "F9AB79F4-6FCB-42EC-B241-099B97CC99ED",
                    "versionEndExcluding": "2.5.32",
                    "versionStartIncluding": "2.0.0",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "97723A4F-E3A6-4AF3-ACC9-3C9618A75220",
                    "versionEndExcluding": "6.3.0.1",
                    "versionStartIncluding": "6.1.2.1",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "When a Multipart request is performed but some of the fields exceed the maxStringLength\u00a0 limit, the upload files will remain in struts.multipart.saveDir\u00a0 even if the request has been denied.\nUsers are recommended to upgrade to versions Struts 2.5.32 or 6.1.2.2 or Struts 6.3.0.1 or greater, which fixe this issue."
          },
          {
            "lang": "es",
            "value": "Cuando se realiza una solicitud multiparte pero algunos de los campos exceden el l\u00edmite maxStringLength, los archivos cargados permanecer\u00e1n en struts.multipart.saveDir incluso si la solicitud ha sido denegada. Se recomienda a los usuarios actualizar a las versiones Struts 2.5.32 o 6.1.2.2 o Struts 6.3.0.1 o superior, que solucionan este problema."
          }
        ],
        "id": "CVE-2023-41835",
        "lastModified": "2023-12-13T21:26:41.667",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 3.9,
              "impactScore": 3.6,
              "source": "nvd@nist.gov",
              "type": "Primary"
            }
          ]
        },
        "published": "2023-12-05T09:15:07.093",
        "references": [
          {
            "source": "security@apache.org",
            "tags": [
              "Mailing List",
              "Release Notes"
            ],
            "url": "https://lists.apache.org/thread/6wj530kh3ono8phr642y9sqkl67ys2ft"
          },
          {
            "source": "security@apache.org",
            "tags": [
              "Mailing List",
              "Third Party Advisory"
            ],
            "url": "https://www.openwall.com/lists/oss-security/2023/12/09/1"
          }
        ],
        "sourceIdentifier": "security@apache.org",
        "vulnStatus": "Analyzed",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-459"
              }
            ],
            "source": "nvd@nist.gov",
            "type": "Primary"
          },
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-459"
              }
            ],
            "source": "security@apache.org",
            "type": "Secondary"
          }
        ]
      }
    }
  }
}

FKIE_CVE-2023-41835

Vulnerability from fkie_nvd - Published: 2023-12-05 09:15 - Updated: 2025-11-04 20:16

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
security@apache.org	https://lists.apache.org/thread/6wj530kh3ono8phr642y9sqkl67ys2ft	Mailing List, Release Notes
security@apache.org	https://www.openwall.com/lists/oss-security/2023/12/09/1	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread/6wj530kh3ono8phr642y9sqkl67ys2ft	Mailing List, Release Notes
af854a3a-2127-422b-91ae-364da2661108	https://security.netapp.com/advisory/ntap-20231013-0001/
af854a3a-2127-422b-91ae-364da2661108	https://www.openwall.com/lists/oss-security/2023/12/09/1	Mailing List, Third Party Advisory

Impacted products

	Vendor	Product	Version
	apache	struts	*
	apache	struts	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F9AB79F4-6FCB-42EC-B241-099B97CC99ED",
              "versionEndExcluding": "2.5.32",
              "versionStartIncluding": "2.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "97723A4F-E3A6-4AF3-ACC9-3C9618A75220",
              "versionEndExcluding": "6.3.0.1",
              "versionStartIncluding": "6.1.2.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "When a Multipart request is performed but some of the fields exceed the maxStringLength\u00a0 limit, the upload files will remain in struts.multipart.saveDir\u00a0 even if the request has been denied.\nUsers are recommended to upgrade to versions Struts 2.5.32 or 6.1.2.2 or Struts 6.3.0.1 or greater, which fixe this issue."
    },
    {
      "lang": "es",
      "value": "Cuando se realiza una solicitud multiparte pero algunos de los campos exceden el l\u00edmite maxStringLength, los archivos cargados permanecer\u00e1n en struts.multipart.saveDir incluso si la solicitud ha sido denegada. Se recomienda a los usuarios actualizar a las versiones Struts 2.5.32 o 6.1.2.2 o Struts 6.3.0.1 o superior, que solucionan este problema."
    }
  ],
  "id": "CVE-2023-41835",
  "lastModified": "2025-11-04T20:16:46.207",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2023-12-05T09:15:07.093",
  "references": [
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Release Notes"
      ],
      "url": "https://lists.apache.org/thread/6wj530kh3ono8phr642y9sqkl67ys2ft"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://www.openwall.com/lists/oss-security/2023/12/09/1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Release Notes"
      ],
      "url": "https://lists.apache.org/thread/6wj530kh3ono8phr642y9sqkl67ys2ft"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://security.netapp.com/advisory/ntap-20231013-0001/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://www.openwall.com/lists/oss-security/2023/12/09/1"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-459"
        }
      ],
      "source": "security@apache.org",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-459"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2023-41835 (GCVE-0-2023-41835)

Solution

Solution

Solution

Solution

Solution

Solution

Tags

Sightings

Nomenclature