CVE-2017-9805
REST Plugin in Apache Struts uses an XStreamHandler with an instance of XStream for deserialization without any type filtering
8.1
HIGH
CVSS 3.1
⚠ KEVEPSS 94.3%
Description
The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.
How to fix CVE-2017-9805
To remediate CVE-2017-9805, upgrade the affected package to a fixed version below.
- —upgrade to 2.3.34 or later
Is CVE-2017-9805 being exploited?
Yes — CVE-2017-9805 is on the CISA Known Exploited Vulnerabilities (KEV) catalog. Patch immediately.
Affected packages (1)
- >= 2.1.1, < 2.3.34
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H |