CyberSec.Space Logo
Back to CVE Browser

CVE-2017-9805

Known Exploited (CISA KEV)HIGH
8.1
CVSS Severity Score
EPSS Score61.7490%
EPSS Percentile94.33th
PublishedSep 15, 2017
Last ModifiedApr 21, 2026

Vulnerability Description

The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.

Affected Platforms (CPE)

πŸ“¦
Apache

Struts

>= 2.1.2 and < 2.3.34
πŸ“¦
Apache

Struts

>= 2.5.0 and < 2.5.13
πŸ“¦
Cisco

Digital Media Manager

All versions
πŸ“¦
Cisco

Hosted Collaboration Solution

= 10.5\(1\)
πŸ“¦
Cisco

Hosted Collaboration Solution

= 11.0\(1\)
πŸ“¦
Cisco

Hosted Collaboration Solution

= 11.5\(1\)
πŸ“¦
Cisco

Hosted Collaboration Solution

= 11.6\(1\)
πŸ“¦
Cisco

Media Experience Engine

= 3.5
πŸ“¦
Cisco

Media Experience Engine

= 3.5.2
πŸ“¦
Cisco

Network Performance Analysis

All versions
πŸ“¦
Cisco

Video Distribution Suite For Internet Streaming

All versions
πŸ“¦
Netapp

Oncommand Balance

All versions

References & Advisories

πŸ”— http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html
πŸ”— http://www.securityfocus.com/bid/100609
πŸ”— http://www.securitytracker.com/id/1039263
πŸ”— https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax
πŸ”— https://bugzilla.redhat.com/show_bug.cgi?id=1488482
πŸ”— https://cwiki.apache.org/confluence/display/WW/S2-052
πŸ”— https://lgtm.com/blog/apache_struts_CVE-2017-9805
πŸ”— https://security.netapp.com/advisory/ntap-20170907-0001/

Related Vulnerabilities

CVE-2013-431610.0

Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors.

CVE-2012-083810.0

Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows re...

CVE-2020-175309.8

Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software :...

CVE-2021-440779.8

Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulner...