What is the severity of CVE-2017-12611?

CVE-2017-12611 has a critical severity due to the potential for remote code execution vulnerabilities.

How do I fix CVE-2017-12611?

To fix CVE-2017-12611, upgrade to Apache Struts versions 2.5.11 or 2.3.34 or higher.

What versions are affected by CVE-2017-12611?

CVE-2017-12611 affects Apache Struts versions 2.0.0 to 2.3.33 and 2.5 to 2.5.10.1.

Can CVE-2017-12611 be exploited remotely?

Yes, CVE-2017-12611 can be exploited remotely if the application is misconfigured and accepts untrusted input.

Is there a patch available for CVE-2017-12611?

Yes, patches are available in the form of updated versions of Apache Struts, specifically 2.5.11 and 2.3.34.

Vulnerability/
CVE-2017-12611

critical

9.8

CWE

20/9/2017

16/10/2018

17/9/2024

CVE-2017-12611: Input Validation

First published: Wed Sep 20 2017(Updated: )

In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack.

Credit: security@apache.org

Affected Software	Affected Version	How to fix
maven/org.apache.struts:struts2-core	>=2.5.0<=2.5.10.1	2.5.11
maven/org.apache.struts:struts2-core	>=2.0.1<=2.3.33	2.3.34
Apache Struts 2	=2.0.1
Apache Struts 2	=2.0.2
Apache Struts 2	=2.0.3
Apache Struts 2	=2.0.4
Apache Struts 2	=2.0.5
Apache Struts 2	=2.0.6
Apache Struts 2	=2.0.7
Apache Struts 2	=2.0.8
Apache Struts 2	=2.0.9
Apache Struts 2	=2.0.10
Apache Struts 2	=2.0.11
Apache Struts 2	=2.0.11.1
Apache Struts 2	=2.0.11.2
Apache Struts 2	=2.0.12
Apache Struts 2	=2.0.13
Apache Struts 2	=2.0.14
Apache Struts 2	=2.1.0
Apache Struts 2	=2.1.1
Apache Struts 2	=2.1.2
Apache Struts 2	=2.1.3
Apache Struts 2	=2.1.4
Apache Struts 2	=2.1.5
Apache Struts 2	=2.1.6
Apache Struts 2	=2.1.8
Apache Struts 2	=2.1.8.1
Apache Struts 2	=2.2.1
Apache Struts 2	=2.2.1.1
Apache Struts 2	=2.2.3
Apache Struts 2	=2.2.3.1
Apache Struts 2	=2.3.1
Apache Struts 2	=2.3.1.1
Apache Struts 2	=2.3.1.2
Apache Struts 2	=2.3.3
Apache Struts 2	=2.3.4
Apache Struts 2	=2.3.4.1
Apache Struts 2	=2.3.5
Apache Struts 2	=2.3.6
Apache Struts 2	=2.3.7
Apache Struts 2	=2.3.8
Apache Struts 2	=2.3.9
Apache Struts 2	=2.3.10
Apache Struts 2	=2.3.11
Apache Struts 2	=2.3.12
Apache Struts 2	=2.3.13
Apache Struts 2	=2.3.14
Apache Struts 2	=2.3.14.1
Apache Struts 2	=2.3.14.2
Apache Struts 2	=2.3.14.3
Apache Struts 2	=2.3.15
Apache Struts 2	=2.3.15.1
Apache Struts 2	=2.3.15.2
Apache Struts 2	=2.3.15.3
Apache Struts 2	=2.3.16
Apache Struts 2	=2.3.16.1
Apache Struts 2	=2.3.16.2
Apache Struts 2	=2.3.16.3
Apache Struts 2	=2.3.17
Apache Struts 2	=2.3.19
Apache Struts 2	=2.3.20
Apache Struts 2	=2.3.20.1
Apache Struts 2	=2.3.20.2
Apache Struts 2	=2.3.21
Apache Struts 2	=2.3.22
Apache Struts 2	=2.3.23
Apache Struts 2	=2.3.24.2
Apache Struts 2	=2.3.24.3
Apache Struts 2	=2.3.25
Apache Struts 2	=2.3.26
Apache Struts 2	=2.3.27
Apache Struts 2	=2.3.28
Apache Struts 2	=2.3.28.1
Apache Struts 2	=2.3.29
Apache Struts 2	=2.3.30
Apache Struts 2	=2.3.31
Apache Struts 2	=2.3.32
Apache Struts 2	=2.3.33
Apache Struts 2	=2.5
Apache Struts 2	=2.5-beta1
Apache Struts 2	=2.5-beta2
Apache Struts 2	=2.5-beta3
Apache Struts 2	=2.5.1
Apache Struts 2	=2.5.2
Apache Struts 2	=2.5.3
Apache Struts 2	=2.5.4
Apache Struts 2	=2.5.5
Apache Struts 2	=2.5.6
Apache Struts 2	=2.5.7
Apache Struts 2	=2.5.8
Apache Struts 2	=2.5.9
Apache Struts 2	=2.5.10

Remedy

http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html

Remedy

https://kb.netapp.com/support/s/article/ka51A000000CgttQAC/NTAP-20170911-0001

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2017-12611?
CVE-2017-12611 has a critical severity due to the potential for remote code execution vulnerabilities.
How do I fix CVE-2017-12611?
To fix CVE-2017-12611, upgrade to Apache Struts versions 2.5.11 or 2.3.34 or higher.
What versions are affected by CVE-2017-12611?
CVE-2017-12611 affects Apache Struts versions 2.0.0 to 2.3.33 and 2.5 to 2.5.10.1.
Can CVE-2017-12611 be exploited remotely?
Yes, CVE-2017-12611 can be exploited remotely if the application is misconfigured and accepts untrusted input.
Is there a patch available for CVE-2017-12611?
Yes, patches are available in the form of updated versions of Apache Struts, specifically 2.5.11 and 2.3.34.

collector/github-advisory-latest
alias/GHSA-8fx9-5hx8-crhm
alias/CVE-2017-12611
agent/author
agent/type
agent/remedy
collector/github-advisory
source/GitHub
agent/software-canonical-lookup
agent/severity
agent/weakness
agent/references
agent/softwarecombine
agent/description
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/first-publish-date
agent/event
agent/trending
agent/source
agent/tags
collector/nvd-cve
source/NVD
agent/software-canonical-lookup-request
collector/nvd-index
package-manager/maven
vendor/apache
canonical/apache struts 2
version/apache struts 2/2.0.1
version/apache struts 2/2.0.2
version/apache struts 2/2.0.3
version/apache struts 2/2.0.4
version/apache struts 2/2.0.5
version/apache struts 2/2.0.6
version/apache struts 2/2.0.7
version/apache struts 2/2.0.8
version/apache struts 2/2.0.9
version/apache struts 2/2.0.10
version/apache struts 2/2.0.11
version/apache struts 2/2.0.11.1
version/apache struts 2/2.0.11.2
version/apache struts 2/2.0.12
version/apache struts 2/2.0.13
version/apache struts 2/2.0.14
version/apache struts 2/2.1.0
version/apache struts 2/2.1.1
version/apache struts 2/2.1.2
version/apache struts 2/2.1.3
version/apache struts 2/2.1.4
version/apache struts 2/2.1.5
version/apache struts 2/2.1.6
version/apache struts 2/2.1.8
version/apache struts 2/2.1.8.1
version/apache struts 2/2.2.1
version/apache struts 2/2.2.1.1
version/apache struts 2/2.2.3
version/apache struts 2/2.2.3.1
version/apache struts 2/2.3.1
version/apache struts 2/2.3.1.1
version/apache struts 2/2.3.1.2
version/apache struts 2/2.3.3
version/apache struts 2/2.3.4
version/apache struts 2/2.3.4.1
version/apache struts 2/2.3.5
version/apache struts 2/2.3.6
version/apache struts 2/2.3.7
version/apache struts 2/2.3.8
version/apache struts 2/2.3.9
version/apache struts 2/2.3.10
version/apache struts 2/2.3.11
version/apache struts 2/2.3.12
version/apache struts 2/2.3.13
version/apache struts 2/2.3.14
version/apache struts 2/2.3.14.1
version/apache struts 2/2.3.14.2
version/apache struts 2/2.3.14.3
version/apache struts 2/2.3.15
version/apache struts 2/2.3.15.1
version/apache struts 2/2.3.15.2
version/apache struts 2/2.3.15.3
version/apache struts 2/2.3.16
version/apache struts 2/2.3.16.1
version/apache struts 2/2.3.16.2
version/apache struts 2/2.3.16.3
version/apache struts 2/2.3.17
version/apache struts 2/2.3.19
version/apache struts 2/2.3.20
version/apache struts 2/2.3.20.1
version/apache struts 2/2.3.20.2
version/apache struts 2/2.3.21
version/apache struts 2/2.3.22
version/apache struts 2/2.3.23
version/apache struts 2/2.3.24.2
version/apache struts 2/2.3.24.3
version/apache struts 2/2.3.25
version/apache struts 2/2.3.26
version/apache struts 2/2.3.27
version/apache struts 2/2.3.28
version/apache struts 2/2.3.28.1
version/apache struts 2/2.3.29
version/apache struts 2/2.3.30
version/apache struts 2/2.3.31
version/apache struts 2/2.3.32
version/apache struts 2/2.3.33
version/apache struts 2/2.5
version/apache struts 2/2.5-beta1
version/apache struts 2/2.5-beta2
version/apache struts 2/2.5-beta3
version/apache struts 2/2.5.1
version/apache struts 2/2.5.2
version/apache struts 2/2.5.3
version/apache struts 2/2.5.4
version/apache struts 2/2.5.5
version/apache struts 2/2.5.6
version/apache struts 2/2.5.7
version/apache struts 2/2.5.8
version/apache struts 2/2.5.9
version/apache struts 2/2.5.10

CVE-2017-12611: Input Validation

Remedy

Remedy

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2017-12611?

How do I fix CVE-2017-12611?

What versions are affected by CVE-2017-12611?

Can CVE-2017-12611 be exploited remotely?

Is there a patch available for CVE-2017-12611?

Company

Resources

Contact