Critical severity9.8CISA KEVNVD Advisory· Published Jul 10, 2017· Updated Jun 17, 2026
CVE-2017-9791
CVE-2017-9791
Description
The Struts 1 plugin in Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.struts:struts2-struts1-pluginMaven | <= 2.3.37 | — |
Affected products
34cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:*+ 32 more
- cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.20.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.24:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.24.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.24.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.28:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.28.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.29:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.30:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.31:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.32:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:*
Patches
Vulnerability mechanics
References
14- www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.htmlnvdPatchThird Party AdvisoryWEB
- struts.apache.org/docs/s2-048.htmlnvdMitigationVendor AdvisoryWEB
- www.securityfocus.com/bid/99484nvdBroken LinkThird Party AdvisoryVDB EntryWEB
- www.securitytracker.com/id/1038838nvdBroken LinkThird Party AdvisoryVDB EntryWEB
- github.com/advisories/GHSA-29rm-6752-gvwvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-9791ghsaADVISORY
- security.netapp.com/advisory/ntap-20180706-0002/nvdThird Party Advisory
- www.exploit-db.com/exploits/42324/nvdThird Party AdvisoryVDB Entry
- www.exploit-db.com/exploits/44643/nvdThird Party AdvisoryVDB Entry
- github.com/apache/struts/commit/ffe0e20edd9d5386f4410fddd970286a69373243ghsaWEB
- security.netapp.com/advisory/ntap-20180706-0002ghsaWEB
- www.cisa.gov/known-exploited-vulnerabilities-catalognvdUS Government ResourceWEB
- www.exploit-db.com/exploits/42324ghsaWEB
- www.exploit-db.com/exploits/44643ghsaWEB
News mentions
0No linked articles in our index yet.