CVE-2017-9793 — The REST Plugin in Apache Struts is using an outdated XStream library

Description

The REST Plugin in Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12 is using an outdated XStream library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted XML payload.

How to fix CVE-2017-9793

To remediate CVE-2017-9793, upgrade the affected package to a fixed version below.

—upgrade to 2.3.34 or later

Is CVE-2017-9793 being exploited?

Moderate — EPSS is 7.9%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

from 0, < 2.3.34

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (9)

ADVISORYgithub.com/advisories/GHSA-vwxj-6m5m-rrvh
ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-9793
WEBsecurity.netapp.com/advisory/ntap-20180629-0001
WEBstruts.apache.org/docs/s2-051.html
WEB