← back
CVE-2017-9805

CVE-2017-9805

CVSS 8.1 HIGHEPSS 99.5%● KEVCWE-502
In short

Apache Struts 2 has a flaw in its REST plugin that allows attackers to execute arbitrary code by sending specially crafted XML messages. The vulnerability exists because the system deserializes data without properly validating what type of objects are being created.

Technical detail

The REST Plugin's XStreamHandler deserializes XML payloads using an unrestricted XStream instance without type filtering, enabling attackers to instantiate arbitrary Java classes and execute remote code. Exploitation requires sending a malicious XML request to an affected REST endpoint; successful exploitation leads to complete system compromise.

Summary generated and translated by AI from the official description.
The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
Apache Software Foundation · Apache Struts
public PoCs found22
githubgithub.com/mazen160/struts-pwn_CVE-2017-9805247githubgithub.com/luc10/struts-rce-cve-2017-980560githubgithub.com/chrisjd20/cve-2017-9805.py21githubgithub.com/0x00-0x00/-CVE-2017-980515githubgithub.com/Lone-Ranger/apache-struts-pwn_CVE-2017-98055githubgithub.com/hahwul/struts2-rce-cve-2017-9805-ruby3githubgithub.com/Shakun8/CVE-2017-98053githubgithub.com/BeyondCy/S2-0521githubgithub.com/UbuntuStrike/struts_rest_rce_fuzz-CVE-2017-9805-1githubgithub.com/0xd3vil/CVE-2017-9805-Exploit1githubgithub.com/jongmartinez/-CVE-2017-9805-1githubgithub.com/7s26simon/CVE-2017-9805-S2-0520githubgithub.com/UbuntuStrike/CVE-2017-9805-Apache-Struts-Fuzz-N-Sploit0githubgithub.com/AvishkaSenadheera/CVE-2017-9805---Documentation---IT191433780githubgithub.com/wifido/CVE-2017-9805-Exploit0githubgithub.com/rvermeulen/apache-struts-cve-2017-98050githubgithub.com/z3bd/CVE-2017-98050githubgithub.com/NoSpaceAvailable/CVE-2017-9805_example_build0githubgithub.com/Fl5xia/CVE-2017-98050githubgithub.com/Experience-rookie/struts-s2-052-deserialization-rce-lab0exploitdbwww.exploit-db.com/exploits/42627unverifiedcve_referencewww.exploit-db.com/exploits/42627/unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifaxhttps://bugzilla.redhat.com/show_bug.cgi?id=1488482https://cwiki.apache.org/confluence/display/WW/S2-052https://lgtm.com/blog/apache_struts_CVE-2017-9805https://security.netapp.com/advisory/ntap-20170907-0001/https://struts.apache.org/docs/s2-052.htmlhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-9805https://www.exploit-db.com/exploits/42627/https://www.kb.cert.org/vuls/id/112992http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.htmlhttp://www.securityfocus.com/bid/100609