CVE-2017-9805

🗓️ 15 Sep 2017 19:00:00Reported by apacheType

cve🔗 web.nvd.nist.gov📰️ 5 Media mentions👁 1485 Views

The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, leading to Remote Code Execution. CVE-2017-980

Reporter	Title	Published	Views	Family All 132
GithubExploit	Exploit for Deserialization of Untrusted Data in Apache Struts	3 Oct 202200:15	–	githubexploit
GithubExploit	Exploit for Deserialization of Untrusted Data in Apache Struts	6 Sep 201708:32	–	githubexploit
GithubExploit	Exploit for Deserialization of Untrusted Data in Apache Struts	4 Dec 201718:23	–	githubexploit
GithubExploit	Exploit for Deserialization of Untrusted Data in Apache Struts	28 Feb 202611:29	–	githubexploit
GithubExploit	Exploit for Deserialization of Untrusted Data in Apache Struts	9 Sep 201701:32	–	githubexploit
GithubExploit	Exploit for Deserialization of Untrusted Data in Apache Struts	16 Mar 202608:01	–	githubexploit
GithubExploit	Exploit for Deserialization of Untrusted Data in Apache Struts	10 Sep 201705:26	–	githubexploit
GithubExploit	Exploit for Deserialization of Untrusted Data in Apache Struts	4 Jan 202618:57	–	githubexploit
GithubExploit	Exploit for Deserialization of Untrusted Data in Apache Struts	7 Sep 201708:49	–	githubexploit
GithubExploit	Exploit for OS Command Injection in Gnu Bash	2 Jan 201700:52	–	githubexploit

NVD

Vulners

Node

apache strutsRange2.1.2–2.3.34

apache strutsRange2.5.0–2.5.13

Node

cisco digital_media_managerMatch-

cisco hosted_collaboration_solutionMatch10.5(1)

cisco hosted_collaboration_solutionMatch11.0(1)

cisco hosted_collaboration_solutionMatch11.5(1)

cisco hosted_collaboration_solutionMatch11.6(1)

cisco media_experience_engineMatch3.5

cisco media_experience_engineMatch3.5.2

cisco network_performance_analysisMatch-

cisco video_distribution_suite_for_internet_streamingMatch-

Node

netapp oncommand_balanceMatch-

[
  {
    "product": "Apache Struts",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "status": "affected",
        "version": "Apache Struts before 2.3.34 and 2.5.x before 2.5.13"
      }
    ]
  }
]

Source	Link
security	www.security.netapp.com/advisory/ntap-20170907-0001/
struts	www.struts.apache.org/docs/s2-052.html
kb	www.kb.cert.org/vuls/id/112992
exploit-db	www.exploit-db.com/exploits/42627/
oracle	www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html
bugzilla	www.bugzilla.redhat.com/show_bug.cgi
blogs	www.blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax
securityfocus	www.securityfocus.com/bid/100609
lgtm	www.lgtm.com/blog/apache_struts_CVE-2017-9805
tools	www.tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2

17 Jun 2026 01:28Current

8.4High risk

Vulners AI Score8.4

CVSS 26.8

CVSS 3.18.1

EPSS0.99461

SSVC