Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2017-9805

The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.

Published

2017-09-15T19:29:00.237

Last Modified

2025-04-20T01:37:25.860

Status

Deferred

Source

[email protected]

Severity

CVSSv3.1: 8.1 (HIGH)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

  • Access Vector: NETWORK
  • Access Complexity: MEDIUM
  • Authentication: NONE
  • Confidentiality Impact: PARTIAL
  • Integrity Impact: PARTIAL
  • Availability Impact: PARTIAL
Exploitability Score

8.6

Impact Score

6.4

Weaknesses
  • Type: Primary
    CWE-502
  • Type: Secondary
    CWE-502
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application apache struts < 2.3.34 Yes
Application apache struts < 2.5.13 Yes
Application cisco digital_media_manager - Yes
Application cisco hosted_collaboration_solution 10.5\(1\) Yes
Application cisco hosted_collaboration_solution 11.0\(1\) Yes
Application cisco hosted_collaboration_solution 11.5\(1\) Yes
Application cisco hosted_collaboration_solution 11.6\(1\) Yes
Application cisco media_experience_engine 3.5 Yes
Application cisco media_experience_engine 3.5.2 Yes
Application cisco network_performance_analysis - Yes
Application cisco video_distribution_suite_for_internet_streaming - Yes
Application netapp oncommand_balance - Yes
References