CRITICAL🚩 CISA KEV⚡ EXPLOIT✓ PATCH🇵🇱 Wersja polska

CVE-2017-9791

CVSS 9.8v3.1pub. 2017-07-10upd. 2026-04-21

The Struts 1 plugin in Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apache Struts

    APP
    Apache
    2.3.12.3.1.12.3.1.22.3.122.3.142.3.14.12.3.14.22.3.14.32.3.152.3.15.12.3.15.22.3.15.32.3.162.3.16.12.3.16.2+ 18 więcej

CISA KEV — detailsi

Vendori
Apache
Producti
Struts 1
Added to KEVi
February 10, 2022
Remediation deadline (US Federal)i
August 10, 2022(overdue)
Required action (CISA)i

Apply updates per vendor instructions.

CISA descriptioni

The Struts 1 plugin in Apache Struts might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 10 sierpnia 2022
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2020-17530CRITICAL9.8⚠ KEVten sam produkt

Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution....

CVE-2017-5638CRITICAL9.8⚠ KEVten sam produkt

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect ex...

CVE-2013-2251CRITICAL9.8⚠ KEVten sam produkt

Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a paramet...

CVE-2012-0391CRITICAL9.8⚠ KEVten sam produkt

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressio...

CVE-2024-53677CRITICAL9.5PL ✓ten sam produkt

Apache Struts: RCE przez podatność path traversal przy upload plików