The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is in the KEV database since Nov. 3, 2021.

The EPSS score is 0.9439.

Exploitation active

Automatable no

Technical Impact total

Affected Vendors & Products

Vendors Products
Apache
  • Struts
Cisco
  • Digital Media Manager
  • Hosted Collaboration Solution
  • Media Experience Engine
  • Network Performance Analysis
  • Video Distribution Suite For Internet Streaming
Netapp
  • Oncommand Balance

Configuration 1 [-]

OR cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR cpe:2.3:a:cisco:digital_media_manager:-:*:*:*:*:*:*:*
cpe:2.3:a:cisco:hosted_collaboration_solution:10.5\(1\):*:*:*:*:*:*:*
cpe:2.3:a:cisco:hosted_collaboration_solution:11.0\(1\):*:*:*:*:*:*:*
cpe:2.3:a:cisco:hosted_collaboration_solution:11.5\(1\):*:*:*:*:*:*:*
cpe:2.3:a:cisco:hosted_collaboration_solution:11.6\(1\):*:*:*:*:*:*:*
cpe:2.3:a:cisco:media_experience_engine:3.5:*:*:*:*:*:*:*
cpe:2.3:a:cisco:media_experience_engine:3.5.2:*:*:*:*:*:*:*
cpe:2.3:a:cisco:network_performance_analysis:-:*:*:*:*:*:*:*
cpe:2.3:a:cisco:video_distribution_suite_for_internet_streaming:-:*:*:*:*:*:*:*

Configuration 3 [-]

cpe:2.3:a:netapp:oncommand_balance:-:*:*:*:*:*:*:*

No data.

No data.

References
Link Providers
http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html cve-icon cve-icon
http://www.securityfocus.com/bid/100609 cve-icon cve-icon
http://www.securitytracker.com/id/1039263 cve-icon cve-icon
https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax cve-icon cve-icon
https://bugzilla.redhat.com/show_bug.cgi?id=1488482 cve-icon cve-icon
https://cwiki.apache.org/confluence/display/WW/S2-052 cve-icon cve-icon
https://lgtm.com/blog/apache_struts_CVE-2017-9805 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2017-9805 cve-icon
https://security.netapp.com/advisory/ntap-20170907-0001/ cve-icon cve-icon
https://struts.apache.org/docs/s2-052.html cve-icon cve-icon cve-icon
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2 cve-icon cve-icon
https://www.cisa.gov/known-exploited-vulnerabilities-catalog cve-icon
https://www.cve.org/CVERecord?id=CVE-2017-9805 cve-icon
https://www.exploit-db.com/exploits/42627/ cve-icon cve-icon
https://www.kb.cert.org/vuls/id/112992 cve-icon cve-icon
History

Thu, 06 Feb 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2021-11-03'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 14 Aug 2024 00:15:00 +0000

Type Values Removed Values Added
References
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2025-07-30T01:46:23.770Z

Reserved: 2017-06-21T00:00:00.000Z

Link: CVE-2017-9805

cve-icon Vulnrichment

Updated: 2024-08-05T17:18:01.942Z

cve-icon NVD

Status : Deferred

Published: 2017-09-15T19:29:00.237

Modified: 2025-04-20T01:37:25.860

Link: CVE-2017-9805

cve-icon Redhat

Severity : Important

Publid Date: 2017-09-05T00:00:00Z

Links: CVE-2017-9805 - Bugzilla

cve-icon OpenCVE Enrichment

No data.