Home > Vulnerability Database > CVE-2017-9805

Mend.io Vulnerability Database

CVE-2017-9805

Good to know:

Date: September 15, 2017

The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.

Language: Java

Severity Score

8.1

Related Resources (21)

Url: https://security.netapp.com/advisory/ntap-20170907-0001/

Url: https://www.kb.cert.org/vuls/id/112992

Url: https://lgtm.com/blog/apache_struts_CVE-2017-9805

Url: https://www.exploit-db.com/exploits/42627

Url: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2

Url: https://struts.apache.org/docs/s2-052.html

Url: https://bugzilla.redhat.com/show_bug.cgi?id=1488482

Url: https://security.netapp.com/advisory/ntap-20170907-0001

Url: http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html

Url: https://github.com/apache/struts/commit/19494718865f2fb7da5ea363de3822f87fbda26

Url: https://www.exploit-db.com/exploits/42627/

Url: https://github.com/apache/struts/commit/6dd6e5cfb7b5e020abffe7e8091bd63fe97c10a

Url: https://cwiki.apache.org/confluence/display/WW/S2-052

Url: https://github.com/apache/struts

Url: https://nvd.nist.gov/vuln/detail/CVE-2017-9805

Url: https://web.archive.org/web/20170909031344/http://www.securityfocus.com/bid/100609

Url: https://web.archive.org/web/20170922053119/http://www.securitytracker.com/id/1039263

Url: http://www.securityfocus.com/bid/100609

Url: http://www.securitytracker.com/id/1039263

Url: https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax

Url: https://www.mend.io/vulnerability-database/CVE-2017-9805

Severity Score

8.1

Weakness Type (CWE)

Deserialization of Untrusted Data

CWE-502

Top Fix

Upgrade Version

Upgrade to version org.apache.struts:struts2-core:2.3.34,org.apache.struts:struts2-core:2.5.13

Learn More

CVSS v3.1

Base Score:	8.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

CVSS v2

Base Score:	6.8
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2017-9805

Good to know:

Date: September 15, 2017

Language: Java

Severity Score

Related Resources (21)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?