1. 15

Via http://opennet.ru/47170/

  1.  

  2. 5

    I think the interesting part is that we still don’t know the exact vulnerability that allowed Equifax to be compromised. This statement mentions CVE-2017-9805 because that’s what was asserted elsewhere, but given the timeline, no part of CVE-2017-9805 would have been disclosed at the time of attack, meaning that the hackers would have had to discover the vulnerability independently.

    Another Structs vulnerability that’s a decent candidate is CVE-2017-5638 [1], which allows injection of arbitrary commands via a crafted Content-Type header.

    [1] https://www.cvedetails.com/cve/CVE-2017-5638/

    1. 5

      According to Matthew Bricker (Struts developer) it was CVE-2017-5638.

      https://twitter.com/MatthewBricker/status/907617331555250176