CVE-2017-15707

In Apache Struts 2.5 to 2.5.14, the REST Plugin is using an outdated JSON-lib library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted JSON payload.

Published: Dec 1, 2017
Updated: Nov 9, 2025
CVE: CVE-2017-15707
GHSA: GHSA-xcrm-qpp8-hcw4
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:N/A:P

CWEs:

CWE-20

Affected Software
References

Software	From	Fixed in
apache / struts	2.5	2.5.14.x
oracle / weblogic_server	12.2.1.2	12.2.1.2.x
oracle / jd_edwards_enterpriseone_tools	9.2	9.2.x
oracle / retail_xstore_point_of_service	7.1.6	7.1.6.x
oracle / retail_xstore_point_of_service	7.0.6	7.0.6.x
oracle / retail_xstore_point_of_service	6.5.11	6.5.11.x
oracle / retail_xstore_point_of_service	15.0.1	15.0.1.x
oracle / financial_services_market_risk_measurement_and_management	8.0.5	8.0.5.x
oracle / webcenter_portal	12.2.1.3.0	12.2.1.3.0.x
oracle / webcenter_portal	12.2.1.2.0	12.2.1.2.0.x
oracle / weblogic_server	12.2.1.3	12.2.1.3.x
oracle / retail_xstore_point_of_service	16.0.2	16.0.2.x
oracle / retail_order_broker	5.2	5.2.x
oracle / enterprise_manager_for_virtualization	13.2.2	13.2.2.x
oracle / enterprise_manager_for_virtualization	13.2.3	13.2.3.x
oracle / financial_services_hedge_management_and_ifrs_valuations	8.0.4	8.0.4.x
oracle / financial_services_hedge_management_and_ifrs_valuations	8.0.5	8.0.5.x
oracle / global_lifecycle_management_opatchauto	-	-
oracle / agile_plm_framework	9.3.6	9.3.6.x
org.apache.struts / struts2-rest-plugin	2.5.0	2.5.16

Vulnerability Database

300,445

CVE-2017-15707

Deep Security Visibility Without the Complexity