HIGH🚩 CISA KEV⚡ EXPLOIT✓ PATCH🇵🇱 Wersja polska

CVE-2017-9805

CVSS 8.1v3.1pub. 2017-09-15upd. 2026-04-21

The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apache Struts

    APP
    Apache
    2.1.2 – 2.3.34 (bez)2.5.0 – 2.5.13 (bez)
  • Cisco Digital Media Manager

    APP
    Cisco
    wszystkie wersje
  • Cisco Hosted Collaboration Solution

    APP
    Cisco
    10.5\(1\)11.0\(1\)11.5\(1\)11.6\(1\)
  • Cisco Media Experience Engine

    APP
    Cisco
    3.53.5.2
  • Cisco Network Performance Analysis

    APP
    Cisco
    wszystkie wersje
  • Cisco Video Distribution Suite For Internet Streaming

    APP
    Cisco
    wszystkie wersje
  • Netapp Oncommand Balance

    APP
    Netapp
    wszystkie wersje

CISA KEV — detailsi

Vendori
Apache
Producti
Struts
Added to KEVi
November 3, 2021
Remediation deadline (US Federal)i
May 3, 2022(overdue)
Required action (CISA)i

Apply updates per vendor instructions.

CISA descriptioni

Apache Struts REST Plugin uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to remote code execution when deserializing XML payloads.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 3 maja 2022
Tags
RCEDeserialization
CWE
References

Related vulnerabilities

CVE-2020-17530CRITICAL9.8⚠ KEVten sam produkt

Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution....

CVE-2017-9791CRITICAL9.8⚠ KEVten sam produkt

The Struts 1 plugin in Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field v...

CVE-2017-5638CRITICAL9.8⚠ KEVten sam produkt

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect ex...

CVE-2016-3427CRITICAL9.8⚠ KEVten sam produkt

Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Java SE Embedded 8u77; and JRockit R28.3.9 ...

CVE-2013-2251CRITICAL9.8⚠ KEVten sam produkt

Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a paramet...