Medium severity6.2NVD Advisory· Published Dec 1, 2017· Updated May 13, 2026

CVE-2017-15707

Description

In Apache Struts 2.5 to 2.5.14, the REST Plugin is using an outdated JSON-lib library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted JSON payload.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.struts:struts2-rest-pluginMaven	>= 2.5.0, < 2.5.16	2.5.16

Affected products

Apache/Struts
cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*
Range: >=2.5,<=2.5.14
NetApp/Oncommand Balance
cpe:2.3:a:netapp:oncommand_balance:-:*:*:*:*:*:*:*
Oracle Corporation/Agile Plm Framework
cpe:2.3:a:oracle:agile_plm_framework:9.3.6:*:*:*:*:*:*:*
Oracle Corporation/Enterprise Manager For Virtualization2 versions
cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.2.2:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.2.3:*:*:*:*:*:*:*
Oracle Corporation/Financial Services Hedge Management And Ifrs Valuations2 versions
cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.0.4:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.0.5:*:*:*:*:*:*:*
Oracle Corporation/Financial Services Market Risk Measurement And Management
cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.5:*:*:*:*:*:*:*
Oracle Corporation/Global Lifecycle Management Opatchauto
cpe:2.3:a:oracle:global_lifecycle_management_opatchauto:*:*:*:*:*:*:*:*
Oracle Corporation/Jd Edwards Enterpriseone Tools
cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*
Oracle Corporation/Retail Order Broker
cpe:2.3:a:oracle:retail_order_broker:5.2:*:*:*:*:*:*:*
Oracle Corporation/Retail Xstore Point Of Service5 versions
cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0.1:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_xstore_point_of_service:6.5.11:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_xstore_point_of_service:7.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1.6:*:*:*:*:*:*:*
Oracle Corporation/Webcenter Portal2 versions
cpe:2.3:a:oracle:webcenter_portal:12.2.1.2.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:oracle:webcenter_portal:12.2.1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*
Oracle Corporation/Weblogic Server2 versions
cpe:2.3:a:oracle:weblogic_server:12.2.1.2:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:oracle:weblogic_server:12.2.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:weblogic_server:12.2.1.3:*:*:*:*:*:*:*
Apache Software Foundation/Apache Strutsv5
Range: 2.5 to 2.5.14

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.htmlnvdPatchWEB
www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlnvdPatchWEB
cwiki.apache.org/confluence/display/WW/S2-054nvdPatchVendor AdvisoryWEB
www.securityfocus.com/bid/102021nvdThird Party AdvisoryVDB EntryWEB
www.securitytracker.com/id/1039946nvdThird Party AdvisoryVDB EntryWEB
github.com/advisories/GHSA-xcrm-qpp8-hcw4ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2017-15707ghsaADVISORY
security.netapp.com/advisory/ntap-20171214-0001/nvdThird Party Advisory
security.netapp.com/advisory/ntap-20171214-0001ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.403
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000