Vulnerability in Apache Software Foundation Struts
CVE-2017-9805
The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when dese…
EPSS: 0.943 (100.0th percentile) — read the EPSS interpretation.
Affected products
- Apache Software Foundation Struts — versions Apache Struts before 2.3.34 and 2.5.x before 2.5.13
CISA KEV (Known Exploited Vulnerabilities)
This CVE is on the CISA KEV catalog, added on . CISA KEV inclusion means CISA has confirmed in-the-wild exploitation; US federal agencies are required to remediate within a published due date.
BOD 22-01 due date: .
Required action: Apply updates per vendor instructions.
Public proof-of-concept exploits
- mazen160/struts-pwn_CVE-2017-9805
- luc10/struts-rce-cve-2017-9805
- chrisjd20/cve-2017-9805.py
- 0x00-0x00/-CVE-2017-9805
- Lone-Ranger/apache-struts-pwn_CVE-2017-9805
- Shakun8/CVE-2017-9805
- hahwul/struts2-rce-cve-2017-9805-ruby
- 0xd3vil/CVE-2017-9805-Exploit
- jongmartinez/-CVE-2017-9805-
- UbuntuStrike/struts_rest_rce_fuzz-CVE-2017-9805-
References
- www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html (x_refsource_CONFIRM)
- struts.apache.org/docs/s2-052.html (x_refsource_CONFIRM)
- 1039263 (vdb-entry, x_refsource_SECTRACK)
- 100609 (vdb-entry, x_refsource_BID)
- 20170907 Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products: September 2017 (x_refsource_CISCO, vendor-advisory)
- bugzilla.redhat.com/show_bug.cgi (x_refsource_CONFIRM)
- blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax (x_refsource_CONFIRM)
- 42627 (exploit, x_refsource_EXPLOIT-DB)
- lgtm.com/blog/apache_struts_CVE-2017-9805 (x_refsource_MISC)
- cwiki.apache.org/confluence/display/WW/S2-052 (x_refsource_CONFIRM)
Frequently asked questions
- What is CVE-2017-9805?
- CVE-2017-9805 is a vulnerability in Apache Software Foundation Struts. Published 2017-09-15.
- Is CVE-2017-9805 known to be exploited?
- Yes. CVE-2017-9805 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2021-11-03), indicating it is being actively exploited. 159 public proof-of-concept repositories are indexed.