cnvd - cnvd-2017-25267

cnvd-2017-25267

Vulnerability from cnvd

Title: Apache Struts2 REST插件远程代码执行漏洞

Description:

Struts2 是Apache软件基金会负责维护的一个基于MVC设计模式的Web应用框架开源项目。

Apache Struts2 REST插件存在远程代码执行漏洞，由于使用XStream组件对XML格式的数据包进行反序列化操作时，未对数据内容进行有效验证，导致攻击者可构造恶意的XML内容执行任意代码。

Severity: 高

Patch Name: Apache Struts2 REST插件远程代码执行漏洞的补丁

Patch Description:

Struts2 是Apache软件基金会负责维护的一个基于MVC设计模式的Web应用框架开源项目。

Apache Struts2 REST插件存在远程代码执行漏洞，由于使用XStream组件对XML格式的数据包进行反序列化操作时，未对数据内容进行有效验证，导致攻击者可构造恶意的XML内容执行任意代码。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

升级到Struts 2.5.13版本，补丁下载地址： https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.13

Reference: https://cwiki.apache.org/confluence/display/WW/S2-052

Impacted products

Name
Apache Struts2 >=2.5，<=2.5.12

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-9805"
    }
  },
  "description": "Struts2 \u662fApache\u8f6f\u4ef6\u57fa\u91d1\u4f1a\u8d1f\u8d23\u7ef4\u62a4\u7684\u4e00\u4e2a\u57fa\u4e8eMVC\u8bbe\u8ba1\u6a21\u5f0f\u7684Web\u5e94\u7528\u6846\u67b6\u5f00\u6e90\u9879\u76ee\u3002\r\n\r\nApache Struts2 REST\u63d2\u4ef6\u5b58\u5728\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff0c\u7531\u4e8e\u4f7f\u7528XStream\u7ec4\u4ef6\u5bf9XML\u683c\u5f0f\u7684\u6570\u636e\u5305\u8fdb\u884c\u53cd\u5e8f\u5217\u5316\u64cd\u4f5c\u65f6\uff0c\u672a\u5bf9\u6570\u636e\u5185\u5bb9\u8fdb\u884c\u6709\u6548\u9a8c\u8bc1\uff0c\u5bfc\u81f4\u653b\u51fb\u8005\u53ef\u6784\u9020\u6076\u610f\u7684XML\u5185\u5bb9\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002",
  "discovererName": "Man Yue Mo",
  "formalWay": "\u5347\u7ea7\u5230Struts 2.5.13\u7248\u672c\uff0c\u8865\u4e01\u4e0b\u8f7d\u5730\u5740\uff1a\r\nhttps://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.13",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-25267",
  "openTime": "2017-09-06",
  "patchDescription": "Struts2 \u662fApache\u8f6f\u4ef6\u57fa\u91d1\u4f1a\u8d1f\u8d23\u7ef4\u62a4\u7684\u4e00\u4e2a\u57fa\u4e8eMVC\u8bbe\u8ba1\u6a21\u5f0f\u7684Web\u5e94\u7528\u6846\u67b6\u5f00\u6e90\u9879\u76ee\u3002\r\n\r\nApache Struts2 REST\u63d2\u4ef6\u5b58\u5728\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff0c\u7531\u4e8e\u4f7f\u7528XStream\u7ec4\u4ef6\u5bf9XML\u683c\u5f0f\u7684\u6570\u636e\u5305\u8fdb\u884c\u53cd\u5e8f\u5217\u5316\u64cd\u4f5c\u65f6\uff0c\u672a\u5bf9\u6570\u636e\u5185\u5bb9\u8fdb\u884c\u6709\u6548\u9a8c\u8bc1\uff0c\u5bfc\u81f4\u653b\u51fb\u8005\u53ef\u6784\u9020\u6076\u610f\u7684XML\u5185\u5bb9\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache Struts2 REST\u63d2\u4ef6\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Apache Struts2 \u003e=2.5\uff0c\u003c=2.5.12"
  },
  "referenceLink": "https://cwiki.apache.org/confluence/display/WW/S2-052",
  "serverity": "\u9ad8",
  "submitTime": "2017-09-06",
  "title": "Apache Struts2 REST\u63d2\u4ef6\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e"
}

CVE-2017-9805 (GCVE-0-2017-9805)

Vulnerability from cvelistv5

Published

2017-09-15 19:00

Modified

2025-07-30 01:46

Severity ?

8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

Summary

The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.

References

▼	URL	Tags
	http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html	x_refsource_CONFIRM
	https://struts.apache.org/docs/s2-052.html	x_refsource_CONFIRM
	http://www.securitytracker.com/id/1039263	vdb-entry, x_refsource_SECTRACK
	http://www.securityfocus.com/bid/100609	vdb-entry, x_refsource_BID
	https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2	vendor-advisory, x_refsource_CISCO
	https://bugzilla.redhat.com/show_bug.cgi?id=1488482	x_refsource_CONFIRM
	https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax	x_refsource_CONFIRM
	https://www.exploit-db.com/exploits/42627/	exploit, x_refsource_EXPLOIT-DB
	https://lgtm.com/blog/apache_struts_CVE-2017-9805	x_refsource_MISC
	https://cwiki.apache.org/confluence/display/WW/S2-052	x_refsource_CONFIRM
	https://security.netapp.com/advisory/ntap-20170907-0001/	x_refsource_CONFIRM
	https://www.kb.cert.org/vuls/id/112992	third-party-advisory, x_refsource_CERT-VN

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Struts	Version: Apache Struts before 2.3.34 and 2.5.x before 2.5.13

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T17:18:01.942Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://struts.apache.org/docs/s2-052.html"
          },
          {
            "name": "1039263",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1039263"
          },
          {
            "name": "100609",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/100609"
          },
          {
            "name": "20170907 Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products: September 2017",
            "tags": [
              "vendor-advisory",
              "x_refsource_CISCO",
              "x_transferred"
            ],
            "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1488482"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax"
          },
          {
            "name": "42627",
            "tags": [
              "exploit",
              "x_refsource_EXPLOIT-DB",
              "x_transferred"
            ],
            "url": "https://www.exploit-db.com/exploits/42627/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://lgtm.com/blog/apache_struts_CVE-2017-9805"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://cwiki.apache.org/confluence/display/WW/S2-052"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20170907-0001/"
          },
          {
            "name": "VU#112992",
            "tags": [
              "third-party-advisory",
              "x_refsource_CERT-VN",
              "x_transferred"
            ],
            "url": "https://www.kb.cert.org/vuls/id/112992"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.1,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2017-9805",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-06T21:07:51.564352Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2021-11-03",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-9805"
              },
              "type": "kev"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-502",
                "description": "CWE-502 Deserialization of Untrusted Data",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-30T01:46:23.770Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "timeline": [
          {
            "lang": "en",
            "time": "2021-11-03T00:00:00+00:00",
            "value": "CVE-2017-9805 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Struts",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "status": "affected",
              "version": "Apache Struts before 2.3.34 and 2.5.x before 2.5.13"
            }
          ]
        }
      ],
      "datePublic": "2017-09-15T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "RCE",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-08-12T20:45:53.000Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://struts.apache.org/docs/s2-052.html"
        },
        {
          "name": "1039263",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1039263"
        },
        {
          "name": "100609",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/100609"
        },
        {
          "name": "20170907 Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products: September 2017",
          "tags": [
            "vendor-advisory",
            "x_refsource_CISCO"
          ],
          "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1488482"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax"
        },
        {
          "name": "42627",
          "tags": [
            "exploit",
            "x_refsource_EXPLOIT-DB"
          ],
          "url": "https://www.exploit-db.com/exploits/42627/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://lgtm.com/blog/apache_struts_CVE-2017-9805"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://cwiki.apache.org/confluence/display/WW/S2-052"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20170907-0001/"
        },
        {
          "name": "VU#112992",
          "tags": [
            "third-party-advisory",
            "x_refsource_CERT-VN"
          ],
          "url": "https://www.kb.cert.org/vuls/id/112992"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2017-9805",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Struts",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Apache Struts before 2.3.34 and 2.5.x before 2.5.13"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "RCE"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html",
              "refsource": "CONFIRM",
              "url": "http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html"
            },
            {
              "name": "https://struts.apache.org/docs/s2-052.html",
              "refsource": "CONFIRM",
              "url": "https://struts.apache.org/docs/s2-052.html"
            },
            {
              "name": "1039263",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1039263"
            },
            {
              "name": "100609",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/100609"
            },
            {
              "name": "20170907 Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products: September 2017",
              "refsource": "CISCO",
              "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1488482",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1488482"
            },
            {
              "name": "https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax",
              "refsource": "CONFIRM",
              "url": "https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax"
            },
            {
              "name": "42627",
              "refsource": "EXPLOIT-DB",
              "url": "https://www.exploit-db.com/exploits/42627/"
            },
            {
              "name": "https://lgtm.com/blog/apache_struts_CVE-2017-9805",
              "refsource": "MISC",
              "url": "https://lgtm.com/blog/apache_struts_CVE-2017-9805"
            },
            {
              "name": "https://cwiki.apache.org/confluence/display/WW/S2-052",
              "refsource": "CONFIRM",
              "url": "https://cwiki.apache.org/confluence/display/WW/S2-052"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20170907-0001/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20170907-0001/"
            },
            {
              "name": "VU#112992",
              "refsource": "CERT-VN",
              "url": "https://www.kb.cert.org/vuls/id/112992"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2017-9805",
    "datePublished": "2017-09-15T19:00:00.000Z",
    "dateReserved": "2017-06-21T00:00:00.000Z",
    "dateUpdated": "2025-07-30T01:46:23.770Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted