CVE-2017-9805

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2017-9805
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-9805.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2017-9805
Aliases
Published
2017-09-15T19:29:00.237Z
Modified
2026-04-10T04:02:44.714104Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.

References

Affected packages

Git / github.com/apache/struts

Affected ranges

Type
GIT
Repo
https://github.com/apache/struts
Events
Introduced
f633bb8270ea52b8d168ade14b8721d8739ceab1
Fixed
f0b3a1d213d0018931c8ee85bbddb767f852f539
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
9f5082615ede714618c8694c418210d43338daf6
Database specific 
{
    "versions": [
        {
            "introduced": "2.1.2"
        },
        {
            "fixed": "2.3.34"
        },
        {
            "introduced": "2.5.0"
        },
        {
            "fixed": "2.5.13"
        }
    ]
}

Affected versions

Other
STRUTS_2_3_24
STRUTS_2_3_24_1
STRUTS_2_3_25
STRUTS_2_3_26
STRUTS_2_3_27
STRUTS_2_3_28
STRUTS_2_3_29
STRUTS_2_3_30
STRUTS_2_3_31
STRUTS_2_3_32
STRUTS_2_3_33
STRUTS_2_5_10
STRUTS_2_5_11
STRUTS_2_5_12
STRUTS_2_5_3
STRUTS_2_5_4
STRUTS_2_5_5
STRUTS_2_5_6
STRUTS_2_5_7
STRUTS_2_5_8
STRUTS_2_5_9
STRUTS_2_5_BETA1
STRUTS_2_5_BETA2

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-9805.json"
unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "10.5(1)"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "11.0(1)"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "11.5(1)"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "11.6(1)"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "3.5"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "3.5.2"
            }
        ]
    }
]