CVE-2017-9805
HIGH8.1⚠ KEVEPSS 94.3%REST Plugin in Apache Struts uses an XStreamHandler with an instance of XStream for deserialization without any type filtering
Published: 10/16/2018Modified: 10/22/2025Added to CISA KEV: 11/3/2021
Description
The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.
Affected packages (1)
- Maven/org.apache.struts:struts2-rest-plugin>= 2.1.1, < 2.3.34
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H |
References (19)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-9805
- PATCHhttps://github.com/apache/struts
- WEBhttps://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax
- WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=1488482
- WEBhttps://cwiki.apache.org/confluence/display/WW/S2-052
- WEBhttps://github.com/apache/struts/commit/19494718865f2fb7da5ea363de3822f87fbda26
- WEBhttps://github.com/apache/struts/commit/6dd6e5cfb7b5e020abffe7e8091bd63fe97c10a
- WEBhttps://lgtm.com/blog/apache_struts_CVE-2017-9805
- WEBhttps://security.netapp.com/advisory/ntap-20170907-0001
- WEBhttps://struts.apache.org/docs/s2-052.html
- WEBhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2
- WEBhttps://web.archive.org/web/20170909031344/http://www.securityfocus.com/bid/100609
- WEBhttps://web.archive.org/web/20170922053119/http://www.securitytracker.com/id/1039263
- WEBhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-9805
- WEBhttps://www.exploit-db.com/exploits/42627
- WEBhttps://www.kb.cert.org/vuls/id/112992
- WEBhttp://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html
- WEBhttp://www.securityfocus.com/bid/100609
- WEBhttp://www.securitytracker.com/id/1039263