High severity8.1CISA KEVNVD Advisory· Published Sep 15, 2017· Updated Jun 17, 2026
CVE-2017-9805
CVE-2017-9805
Description
The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.struts:struts2-rest-pluginMaven | >= 2.1.1, < 2.3.34 | 2.3.34 |
org.apache.struts:struts2-rest-pluginMaven | >= 2.5.0, < 2.5.13 | 2.5.13 |
Affected products
12- cpe:2.3:a:cisco:digital_media_manager:-:*:*:*:*:*:*:*
cpe:2.3:a:cisco:hosted_collaboration_solution:10.5\(1\):*:*:*:*:*:*:*+ 3 more
- cpe:2.3:a:cisco:hosted_collaboration_solution:10.5\(1\):*:*:*:*:*:*:*
- cpe:2.3:a:cisco:hosted_collaboration_solution:11.0\(1\):*:*:*:*:*:*:*
- cpe:2.3:a:cisco:hosted_collaboration_solution:11.5\(1\):*:*:*:*:*:*:*
- cpe:2.3:a:cisco:hosted_collaboration_solution:11.6\(1\):*:*:*:*:*:*:*
cpe:2.3:a:cisco:media_experience_engine:3.5:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:cisco:media_experience_engine:3.5:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:media_experience_engine:3.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:network_performance_analysis:-:*:*:*:*:*:*:*
- cpe:2.3:a:cisco:video_distribution_suite_for_internet_streaming:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:oncommand_balance:-:*:*:*:*:*:*:*
Patches
Vulnerability mechanics
References
21- www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.htmlnvdPatchThird Party AdvisoryWEB
- www.exploit-db.com/exploits/42627/nvdExploitThird Party AdvisoryVDB Entry
- www.securityfocus.com/bid/100609nvdBroken LinkThird Party AdvisoryVDB EntryWEB
- www.securitytracker.com/id/1039263nvdBroken LinkThird Party AdvisoryVDB EntryWEB
- blogs.apache.org/foundation/entry/apache-struts-statement-on-equifaxnvdVendor AdvisoryWEB
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingThird Party AdvisoryVDB EntryWEB
- cwiki.apache.org/confluence/display/WW/S2-052nvdMitigationVendor AdvisoryWEB
- github.com/advisories/GHSA-gg9m-fj3v-r58cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-9805ghsaADVISORY
- security.netapp.com/advisory/ntap-20170907-0001/nvdThird Party Advisory
- struts.apache.org/docs/s2-052.htmlnvdMitigationVendor AdvisoryWEB
- tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2nvdThird Party AdvisoryWEB
- www.kb.cert.org/vuls/id/112992nvdThird Party AdvisoryUS Government ResourceWEB
- github.com/apache/struts/commit/19494718865f2fb7da5ea363de3822f87fbda26ghsaWEB
- github.com/apache/struts/commit/6dd6e5cfb7b5e020abffe7e8091bd63fe97c10aghsaWEB
- lgtm.com/blog/apache_struts_CVE-2017-9805nvdBroken LinkWEB
- security.netapp.com/advisory/ntap-20170907-0001ghsaWEB
- web.archive.org/web/20170909031344/http://www.securityfocus.com/bid/100609ghsaWEB
- web.archive.org/web/20170922053119/http://www.securitytracker.com/id/1039263ghsaWEB
- www.cisa.gov/known-exploited-vulnerabilities-catalognvdUS Government ResourceWEB
- www.exploit-db.com/exploits/42627ghsaWEB
News mentions
0No linked articles in our index yet.