High severity8.1CISA KEVNVD Advisory· Published Sep 15, 2017· Updated Apr 21, 2026
CVE-2017-9805
CVE-2017-9805
Description
The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.struts:struts2-rest-pluginMaven | >= 2.1.1, < 2.3.34 | 2.3.34 |
org.apache.struts:struts2-rest-pluginMaven | >= 2.5.0, < 2.5.13 | 2.5.13 |
Affected products
11- cpe:2.3:a:cisco:digital_media_manager:-:*:*:*:*:*:*:*
cpe:2.3:a:cisco:hosted_collaboration_solution:10.5\(1\):*:*:*:*:*:*:*+ 3 more
- cpe:2.3:a:cisco:hosted_collaboration_solution:10.5\(1\):*:*:*:*:*:*:*
- cpe:2.3:a:cisco:hosted_collaboration_solution:11.0\(1\):*:*:*:*:*:*:*
- cpe:2.3:a:cisco:hosted_collaboration_solution:11.5\(1\):*:*:*:*:*:*:*
- cpe:2.3:a:cisco:hosted_collaboration_solution:11.6\(1\):*:*:*:*:*:*:*
cpe:2.3:a:cisco:media_experience_engine:3.5:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:cisco:media_experience_engine:3.5:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:media_experience_engine:3.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:network_performance_analysis:-:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:video_distribution_suite_for_internet_streaming:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:oncommand_balance:-:*:*:*:*:*:*:*
Patches
4f0b3a1d213d09f5082615ede19494718865fhttps://github.com/apache/strutsvia ghsa
6dd6e5cfb7b5https://github.com/apache/strutsvia ghsa
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
21- www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.htmlnvdPatchThird Party AdvisoryWEB
- www.exploit-db.com/exploits/42627/nvdExploitThird Party AdvisoryVDB Entry
- www.securityfocus.com/bid/100609nvdBroken LinkThird Party AdvisoryVDB EntryWEB
- www.securitytracker.com/id/1039263nvdBroken LinkThird Party AdvisoryVDB EntryWEB
- blogs.apache.org/foundation/entry/apache-struts-statement-on-equifaxnvdVendor AdvisoryWEB
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingThird Party AdvisoryVDB EntryWEB
- cwiki.apache.org/confluence/display/WW/S2-052nvdMitigationVendor AdvisoryWEB
- github.com/advisories/GHSA-gg9m-fj3v-r58cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-9805ghsaADVISORY
- security.netapp.com/advisory/ntap-20170907-0001/nvdThird Party Advisory
- struts.apache.org/docs/s2-052.htmlnvdMitigationVendor AdvisoryWEB
- tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2nvdThird Party AdvisoryWEB
- www.kb.cert.org/vuls/id/112992nvdThird Party AdvisoryUS Government ResourceWEB
- github.com/apache/struts/commit/19494718865f2fb7da5ea363de3822f87fbda26ghsaWEB
- github.com/apache/struts/commit/6dd6e5cfb7b5e020abffe7e8091bd63fe97c10aghsaWEB
- lgtm.com/blog/apache_struts_CVE-2017-9805nvdBroken LinkWEB
- security.netapp.com/advisory/ntap-20170907-0001ghsaWEB
- web.archive.org/web/20170909031344/http://www.securityfocus.com/bid/100609ghsaWEB
- web.archive.org/web/20170922053119/http://www.securitytracker.com/id/1039263ghsaWEB
- www.cisa.gov/known-exploited-vulnerabilities-catalognvdUS Government ResourceWEB
- www.exploit-db.com/exploits/42627ghsaWEB
News mentions
0No linked articles in our index yet.