CVE-2017-9805

nvd nist nuclei

Published: Sep 15, 2017Modified: Apr 21, 2026CISA KEV

8.1

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.2 / Impact: 5.9

Source: NVD

Description

The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.

Affected (12)

Products: Apache: Struts · Cisco: Digital Media Manager, Hosted Collaboration Solution, Media Experience Engine, Network Performance Analysis, Video Distribution Suite For Internet Streaming · Netapp: Oncommand Balance

1 product

5 products

Digital Media Manager

Hosted Collaboration Solution

Media Experience Engine

Network Performance Analysis

Video Distribution Suite For Internet Streaming

1 product

Oncommand Balance

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Apache Struts	From 2.1.2 to 2.3.34
Apache Struts	From 2.5.0 to 2.5.13

Configuration B

9 vulnerable

Vulnerable Software	Affected Versions
Cisco Digital Media Manager	All versions
Cisco Hosted Collaboration Solution	Version 10.5(1)
Cisco Hosted Collaboration Solution	Version 11.0(1)
Cisco Hosted Collaboration Solution	Version 11.5(1)
Cisco Hosted Collaboration Solution	Version 11.6(1)
Cisco Media Experience Engine	Version 3.5.2
Cisco Media Experience Engine	Version 3.5
Cisco Network Performance Analysis	All versions
Cisco Video Distribution Suite For Internet Streaming	All versions

Configuration C

1 vulnerable

Vulnerable Software	Affected Versions
Netapp Oncommand Balance	All versions

Related CWEs

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (25)

http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html

Source: security@apache.org

PatchThird Party Advisory

http://www.securityfocus.com/bid/100609

Source: security@apache.org

Broken LinkThird Party AdvisoryVDB Entry

http://www.securitytracker.com/id/1039263

Source: security@apache.org

Broken LinkThird Party AdvisoryVDB Entry

https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax

Source: security@apache.org

Vendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=1488482

Source: security@apache.org

Issue TrackingThird Party AdvisoryVDB Entry

https://cwiki.apache.org/confluence/display/WW/S2-052

Source: security@apache.org

MitigationVendor Advisory

https://lgtm.com/blog/apache_struts_CVE-2017-9805

Source: security@apache.org

Broken Link

https://security.netapp.com/advisory/ntap-20170907-0001/

Source: security@apache.org

Third Party Advisory

https://struts.apache.org/docs/s2-052.html

Source: security@apache.org

MitigationVendor Advisory

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2

Source: security@apache.org

Third Party Advisory

https://www.exploit-db.com/exploits/42627/

Source: security@apache.org

ExploitThird Party AdvisoryVDB Entry

https://www.kb.cert.org/vuls/id/112992

Source: security@apache.org

Third Party AdvisoryUS Government Resource

http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

http://www.securityfocus.com/bid/100609

Source: af854a3a-2127-422b-91ae-364da2661108

Broken LinkThird Party AdvisoryVDB Entry

http://www.securitytracker.com/id/1039263

Source: af854a3a-2127-422b-91ae-364da2661108

Broken LinkThird Party AdvisoryVDB Entry

https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=1488482

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingThird Party AdvisoryVDB Entry

https://cwiki.apache.org/confluence/display/WW/S2-052

Source: af854a3a-2127-422b-91ae-364da2661108

MitigationVendor Advisory

https://lgtm.com/blog/apache_struts_CVE-2017-9805

Source: af854a3a-2127-422b-91ae-364da2661108

Broken Link

https://security.netapp.com/advisory/ntap-20170907-0001/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://struts.apache.org/docs/s2-052.html

Source: af854a3a-2127-422b-91ae-364da2661108

MitigationVendor Advisory

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.exploit-db.com/exploits/42627/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party AdvisoryVDB Entry

https://www.kb.cert.org/vuls/id/112992

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryUS Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-9805

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

US Government Resource

Timeline

No history available yet.