CVE-2017-9805
unknown
KEV
CVSS v3
—
CVSS v2
—
VIR risk
1.5
Description
Apache Struts REST Plugin uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to remote code execution when deserializing XML payloads.
CISA KEV
- Vendor
- Apache
- Product
- Struts
- Due date
- 2022-05-03
Predictions
Exploit likelihood
99%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cisa-kev — https://nvd.nist.gov/vuln/detail/CVE-2017-9805
Exploits
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Maven | org.apache.struts:struts2-rest-plugin | >=2.1.1,<2.3.34 | 2.3.34 |
| Maven | org.apache.struts:struts2-rest-plugin | >=2.5.0,<2.5.13 | 2.5.13 |
References
- https://nvd.nist.gov/vuln/detail/CVE-2017-9805
- https://github.com/apache/struts/commit/19494718865f2fb7da5ea363de3822f87fbda26
- https://github.com/apache/struts/commit/6dd6e5cfb7b5e020abffe7e8091bd63fe97c10a
- https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax
- https://bugzilla.redhat.com/show_bug.cgi?id=1488482
- https://cwiki.apache.org/confluence/display/WW/S2-052
- https://github.com/apache/struts
- https://lgtm.com/blog/apache_struts_CVE-2017-9805
- https://security.netapp.com/advisory/ntap-20170907-0001
- https://struts.apache.org/docs/s2-052.html
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2
- https://web.archive.org/web/20170909031344/http://www.securityfocus.com/bid/100609
- https://web.archive.org/web/20170922053119/http://www.securitytracker.com/id/1039263
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-9805
- https://www.exploit-db.com/exploits/42627
- https://www.kb.cert.org/vuls/id/112992
- http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html
- http://www.securityfocus.com/bid/100609
- http://www.securitytracker.com/id/1039263
Verify integrity in audit chain (admin only). AS-IS.