Back to search
CVE-2017-9805
Published: Sep 15, 2017
Modified: Oct 21, 2025
PUBLISHED
Description
The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.
| Vendor | Product | Versions |
|---|---|---|
Apache Software Foundation | Apache Struts | affected Apache Struts before 2.3.34 and 2.5.x before 2.5.13 |
References
https://struts.apache.org/docs/s2-052.html
x_refsource_CONFIRM
1039263
vdb-entry
x_refsource_SECTRACK
100609
vdb-entry
x_refsource_BID
20170907 Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products: September 2017
vendor-advisory
x_refsource_CISCO
https://bugzilla.redhat.com/show_bug.cgi?id=1488482
x_refsource_CONFIRM
https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax
x_refsource_CONFIRM
42627
exploit
x_refsource_EXPLOIT-DB
https://lgtm.com/blog/apache_struts_CVE-2017-9805
x_refsource_MISC
https://cwiki.apache.org/confluence/display/WW/S2-052
x_refsource_CONFIRM
https://security.netapp.com/advisory/ntap-20170907-0001/
x_refsource_CONFIRM
VU#112992
third-party-advisory
x_refsource_CERT-VN
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now