Vulnerability Details CVE-2017-9805
The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.944
EPSS Ranking 100.0%
CVSS Severity
CVSS v3 Score 8.1
CVSS v2 Score 6.8
Proposed Action
Apache Struts REST Plugin uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to remote code execution when deserializing XML payloads.
Ransomware Campaign
Unknown
References
- http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html
- http://www.securityfocus.com/bid/100609
- http://www.securitytracker.com/id/1039263
- https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax
- https://bugzilla.redhat.com/show_bug.cgi?id=1488482
- https://cwiki.apache.org/confluence/display/WW/S2-052
- https://lgtm.com/blog/apache_struts_CVE-2017-9805
- https://security.netapp.com/advisory/ntap-20170907-0001/
- https://struts.apache.org/docs/s2-052.html
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2
- https://www.exploit-db.com/exploits/42627/
- https://www.kb.cert.org/vuls/id/112992
- http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html
- http://www.securityfocus.com/bid/100609
- http://www.securitytracker.com/id/1039263
- https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax
- https://bugzilla.redhat.com/show_bug.cgi?id=1488482
- https://cwiki.apache.org/confluence/display/WW/S2-052
- https://lgtm.com/blog/apache_struts_CVE-2017-9805
- https://security.netapp.com/advisory/ntap-20170907-0001/
- https://struts.apache.org/docs/s2-052.html
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2
- https://www.exploit-db.com/exploits/42627/
- https://www.kb.cert.org/vuls/id/112992
Products affected by CVE-2017-9805
-
cpe:2.3:a:apache:struts:2.1.2
-
cpe:2.3:a:apache:struts:2.1.3
-
cpe:2.3:a:apache:struts:2.1.4
-
cpe:2.3:a:apache:struts:2.1.5
-
cpe:2.3:a:apache:struts:2.1.6
-
cpe:2.3:a:apache:struts:2.1.7
-
cpe:2.3:a:apache:struts:2.1.8
-
cpe:2.3:a:apache:struts:2.1.8.1
-
cpe:2.3:a:apache:struts:2.2.1
-
cpe:2.3:a:apache:struts:2.2.1.1
-
cpe:2.3:a:apache:struts:2.2.3
-
cpe:2.3:a:apache:struts:2.2.3.1
-
cpe:2.3:a:apache:struts:2.3.0
-
cpe:2.3:a:apache:struts:2.3.1
-
cpe:2.3:a:apache:struts:2.3.1.1
-
cpe:2.3:a:apache:struts:2.3.1.2
-
cpe:2.3:a:apache:struts:2.3.10
-
cpe:2.3:a:apache:struts:2.3.11
-
cpe:2.3:a:apache:struts:2.3.12
-
cpe:2.3:a:apache:struts:2.3.13
-
cpe:2.3:a:apache:struts:2.3.14
-
cpe:2.3:a:apache:struts:2.3.14.1
-
cpe:2.3:a:apache:struts:2.3.14.2
-
cpe:2.3:a:apache:struts:2.3.14.3
-
cpe:2.3:a:apache:struts:2.3.15
-
cpe:2.3:a:apache:struts:2.3.15.1
-
cpe:2.3:a:apache:struts:2.3.15.2
-
cpe:2.3:a:apache:struts:2.3.15.3
-
cpe:2.3:a:apache:struts:2.3.16
-
cpe:2.3:a:apache:struts:2.3.16.1
-
cpe:2.3:a:apache:struts:2.3.16.2
-
cpe:2.3:a:apache:struts:2.3.16.3
-
cpe:2.3:a:apache:struts:2.3.17
-
cpe:2.3:a:apache:struts:2.3.19
-
cpe:2.3:a:apache:struts:2.3.20
-
cpe:2.3:a:apache:struts:2.3.20.1
-
cpe:2.3:a:apache:struts:2.3.20.2
-
cpe:2.3:a:apache:struts:2.3.20.3
-
cpe:2.3:a:apache:struts:2.3.21
-
cpe:2.3:a:apache:struts:2.3.22
-
cpe:2.3:a:apache:struts:2.3.23
-
cpe:2.3:a:apache:struts:2.3.24
-
cpe:2.3:a:apache:struts:2.3.24.1
-
cpe:2.3:a:apache:struts:2.3.24.2
-
cpe:2.3:a:apache:struts:2.3.24.3
-
cpe:2.3:a:apache:struts:2.3.25
-
cpe:2.3:a:apache:struts:2.3.26
-
cpe:2.3:a:apache:struts:2.3.27
-
cpe:2.3:a:apache:struts:2.3.28
-
cpe:2.3:a:apache:struts:2.3.28.1
-
cpe:2.3:a:apache:struts:2.3.29
-
cpe:2.3:a:apache:struts:2.3.3
-
cpe:2.3:a:apache:struts:2.3.30
-
cpe:2.3:a:apache:struts:2.3.31
-
cpe:2.3:a:apache:struts:2.3.32
-
cpe:2.3:a:apache:struts:2.3.33
-
cpe:2.3:a:apache:struts:2.3.4
-
cpe:2.3:a:apache:struts:2.3.4.1
-
cpe:2.3:a:apache:struts:2.3.5
-
cpe:2.3:a:apache:struts:2.3.6
-
cpe:2.3:a:apache:struts:2.3.7
-
cpe:2.3:a:apache:struts:2.3.8
-
cpe:2.3:a:apache:struts:2.3.9
-
cpe:2.3:a:apache:struts:2.5.0
-
cpe:2.3:a:apache:struts:2.5.1
-
cpe:2.3:a:apache:struts:2.5.10
-
cpe:2.3:a:apache:struts:2.5.10.1
-
cpe:2.3:a:apache:struts:2.5.11
-
cpe:2.3:a:apache:struts:2.5.12
-
cpe:2.3:a:apache:struts:2.5.2
-
cpe:2.3:a:apache:struts:2.5.3
-
cpe:2.3:a:apache:struts:2.5.4
-
cpe:2.3:a:apache:struts:2.5.5
-
cpe:2.3:a:apache:struts:2.5.6
-
cpe:2.3:a:apache:struts:2.5.7
-
cpe:2.3:a:apache:struts:2.5.8
-
cpe:2.3:a:apache:struts:2.5.9
-
cpe:2.3:a:cisco:digital_media_manager:-
-
cpe:2.3:a:cisco:hosted_collaboration_solution:10.5(1)
-
cpe:2.3:a:cisco:hosted_collaboration_solution:11.0(1)
-
cpe:2.3:a:cisco:hosted_collaboration_solution:11.5(1)
-
cpe:2.3:a:cisco:hosted_collaboration_solution:11.6(1)
-
cpe:2.3:a:cisco:media_experience_engine:3.5
-
cpe:2.3:a:cisco:media_experience_engine:3.5.2
-
cpe:2.3:a:cisco:network_performance_analysis:-
-
cpe:2.3:a:cisco:video_distribution_suite_for_internet_streaming:-
-
cpe:2.3:a:netapp:oncommand_balance:-