CyberSec.Space Logo
Back to CVE Browser

CVE-2017-9791

Known Exploited (CISA KEV)CRITICAL
9.8
CVSS Severity Score
EPSS Score50.0370%
EPSS Percentile98.72th
PublishedJul 10, 2017
Last ModifiedApr 21, 2026

Vulnerability Description

The Struts 1 plugin in Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.

Affected Platforms (CPE)

πŸ“¦
Apache

Struts

= 2.3.1
πŸ“¦
Apache

Struts

= 2.3.1.1
πŸ“¦
Apache

Struts

= 2.3.1.2
πŸ“¦
Apache

Struts

= 2.3.3
πŸ“¦
Apache

Struts

= 2.3.4
πŸ“¦
Apache

Struts

= 2.3.4.1
πŸ“¦
Apache

Struts

= 2.3.7
πŸ“¦
Apache

Struts

= 2.3.8
πŸ“¦
Apache

Struts

= 2.3.12
πŸ“¦
Apache

Struts

= 2.3.14
πŸ“¦
Apache

Struts

= 2.3.14.1
πŸ“¦
Apache

Struts

= 2.3.14.2
πŸ“¦
Apache

Struts

= 2.3.14.3
πŸ“¦
Apache

Struts

= 2.3.15
πŸ“¦
Apache

Struts

= 2.3.15.1
πŸ“¦
Apache

Struts

= 2.3.15.2
πŸ“¦
Apache

Struts

= 2.3.15.3
πŸ“¦
Apache

Struts

= 2.3.16
πŸ“¦
Apache

Struts

= 2.3.16.1
πŸ“¦
Apache

Struts

= 2.3.16.2
πŸ“¦
Apache

Struts

= 2.3.16.3
πŸ“¦
Apache

Struts

= 2.3.20
πŸ“¦
Apache

Struts

= 2.3.20.1
πŸ“¦
Apache

Struts

= 2.3.20.3
πŸ“¦
Apache

Struts

= 2.3.24
πŸ“¦
Apache

Struts

= 2.3.24.1
πŸ“¦
Apache

Struts

= 2.3.24.3
πŸ“¦
Apache

Struts

= 2.3.28
πŸ“¦
Apache

Struts

= 2.3.28.1
πŸ“¦
Apache

Struts

= 2.3.29
πŸ“¦
Apache

Struts

= 2.3.30
πŸ“¦
Apache

Struts

= 2.3.31
πŸ“¦
Apache

Struts

= 2.3.32

References & Advisories

πŸ”— http://struts.apache.org/docs/s2-048.html
πŸ”— http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html
πŸ”— http://www.securityfocus.com/bid/99484
πŸ”— http://www.securitytracker.com/id/1038838
πŸ”— https://security.netapp.com/advisory/ntap-20180706-0002/
πŸ”— https://www.exploit-db.com/exploits/42324/
πŸ”— https://www.exploit-db.com/exploits/44643/
πŸ”— http://struts.apache.org/docs/s2-048.html

Related Vulnerabilities

CVE-2013-431610.0

Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors.

CVE-2012-083810.0

Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows re...

CVE-2020-175309.8

Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software :...

CVE-2021-440779.8

Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulner...