Details of VAR-201709-1229

ID

VAR-201709-1229

CVE

CVE-2017-9805

TITLE

Apache Struts 2 framework REST plugin insecurely deserializes untrusted XML data

Trust: 0.8

sources: CERT/CC: VU#112992

DESCRIPTION

The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads. Apache Struts 2 framework, versions 2.5 to 2.5.12, with REST plugin insecurely deserializes untrusted XML data. A remote, unauthenticated attacker can leverage this vulnerability to execute arbitrary code in the context of the Struts application. Apache Struts2 Contains a vulnerability that allows arbitrary code execution (S2-052) Exists. An attacker can exploit this issue to cause a denial-of-service condition, denying service to legitimate users. Apache Struts is prone to a remote code-execution vulnerability. Failed exploit attempts will likely result in denial-of-service conditions. Apache Struts 2.1.2 through 2.3.33 and 2.5 through 2.5.12 are vulnerable

Trust: 4.32

sources: NVD: CVE-2017-9805 // CERT/CC: VU#112992 // JVNDB: JVNDB-2017-006931 // BID: 99562 // BID: 99563 // BID: 99484 // BID: 100612 // BID: 100611 // BID: 100609 // BID: 100829 // VULMON: CVE-2017-9805

AFFECTED PRODUCTS

vendor:	oracle	model:	weblogic server	scope:	eq	version:	10.3.60	Trust: 2.1
vendor:	oracle	model:	weblogic server	scope:	eq	version:	12.2.1.3	Trust: 2.1
vendor:	oracle	model:	weblogic server	scope:	eq	version:	12.2.1.2	Trust: 2.1
vendor:	oracle	model:	weblogic server	scope:	eq	version:	12.2.1.1	Trust: 2.1
vendor:	oracle	model:	weblogic server	scope:	eq	version:	12.2.1.0	Trust: 2.1
vendor:	oracle	model:	weblogic server	scope:	eq	version:	12.1.3.0	Trust: 2.1
vendor:	oracle	model:	siebel applications	scope:	eq	version:	7.1	Trust: 2.1
vendor:	oracle	model:	siebel applications	scope:	eq	version:	6.2	Trust: 2.1
vendor:	oracle	model:	mysql enterprise monitor	scope:	eq	version:	3.2.1182	Trust: 2.1
vendor:	oracle	model:	mysql enterprise monitor	scope:	eq	version:	3.4.2.4181	Trust: 2.1
vendor:	oracle	model:	mysql enterprise monitor	scope:	eq	version:	3.4.1	Trust: 2.1
vendor:	oracle	model:	mysql enterprise monitor	scope:	eq	version:	3.4.0	Trust: 2.1
vendor:	oracle	model:	mysql enterprise monitor	scope:	eq	version:	3.3.4.3247	Trust: 2.1
vendor:	oracle	model:	mysql enterprise monitor	scope:	eq	version:	3.3.3.1199	Trust: 2.1
vendor:	oracle	model:	mysql enterprise monitor	scope:	eq	version:	3.3.2.1162	Trust: 2.1
vendor:	oracle	model:	mysql enterprise monitor	scope:	eq	version:	3.3.0.1098	Trust: 2.1
vendor:	oracle	model:	mysql enterprise monitor	scope:	eq	version:	3.2.8.2223	Trust: 2.1
vendor:	oracle	model:	mysql enterprise monitor	scope:	eq	version:	3.2.7.1204	Trust: 2.1
vendor:	oracle	model:	mysql enterprise monitor	scope:	eq	version:	3.2.5.1141	Trust: 2.1
vendor:	oracle	model:	mysql enterprise monitor	scope:	eq	version:	3.2.4.1102	Trust: 2.1
vendor:	oracle	model:	mysql enterprise monitor	scope:	eq	version:	3.2.1.1049	Trust: 2.1
vendor:	oracle	model:	micros retail xbri loss prevention	scope:	eq	version:	10.8.1	Trust: 2.1
vendor:	oracle	model:	micros retail xbri loss prevention	scope:	eq	version:	10.8	Trust: 2.1
vendor:	oracle	model:	micros retail xbri loss prevention	scope:	eq	version:	10.7	Trust: 2.1
vendor:	oracle	model:	micros retail xbri loss prevention	scope:	eq	version:	10.6	Trust: 2.1
vendor:	oracle	model:	micros retail xbri loss prevention	scope:	eq	version:	10.5	Trust: 2.1
vendor:	oracle	model:	micros retail xbri loss prevention	scope:	eq	version:	10.0.1	Trust: 2.1
vendor:	oracle	model:	insurance performance insight for general insurance	scope:	eq	version:	8.0	Trust: 2.1
vendor:	oracle	model:	insurance data foundation	scope:	eq	version:	8.0.5	Trust: 2.1
vendor:	oracle	model:	insurance data foundation	scope:	eq	version:	8.0.4	Trust: 2.1
vendor:	oracle	model:	insurance data foundation	scope:	eq	version:	8.0.3	Trust: 2.1
vendor:	oracle	model:	insurance data foundation	scope:	eq	version:	8.0.2	Trust: 2.1
vendor:	oracle	model:	insurance data foundation	scope:	eq	version:	8.0.1	Trust: 2.1
vendor:	oracle	model:	flexcube private banking	scope:	eq	version:	12.1	Trust: 2.1
vendor:	oracle	model:	flexcube private banking	scope:	eq	version:	12.0.3	Trust: 2.1
vendor:	oracle	model:	flexcube private banking	scope:	eq	version:	12.0.2	Trust: 2.1
vendor:	oracle	model:	flexcube private banking	scope:	eq	version:	12.0.1	Trust: 2.1
vendor:	oracle	model:	flexcube private banking	scope:	eq	version:	12.0	Trust: 2.1
vendor:	oracle	model:	flexcube private banking	scope:	eq	version:	2.2	Trust: 2.1
vendor:	oracle	model:	flexcube private banking	scope:	eq	version:	3.0	Trust: 2.1
vendor:	oracle	model:	financial services retail performance analytics	scope:	eq	version:	8.0.5	Trust: 2.1
vendor:	oracle	model:	financial services retail performance analytics	scope:	eq	version:	8.0.4	Trust: 2.1
vendor:	oracle	model:	financial services retail performance analytics	scope:	eq	version:	8.0.3	Trust: 2.1
vendor:	oracle	model:	financial services retail performance analytics	scope:	eq	version:	8.0.2	Trust: 2.1
vendor:	oracle	model:	financial services retail performance analytics	scope:	eq	version:	8.0.1	Trust: 2.1
vendor:	oracle	model:	financial services retail performance analytics	scope:	eq	version:	8.0	Trust: 2.1
vendor:	oracle	model:	financial services retail customer analytics	scope:	eq	version:	8.0.5	Trust: 2.1
vendor:	oracle	model:	financial services retail customer analytics	scope:	eq	version:	8.0.4	Trust: 2.1
vendor:	oracle	model:	financial services retail customer analytics	scope:	eq	version:	8.0.3	Trust: 2.1
vendor:	oracle	model:	financial services retail customer analytics	scope:	eq	version:	8.0.2	Trust: 2.1
vendor:	oracle	model:	financial services retail customer analytics	scope:	eq	version:	8.0.1	Trust: 2.1
vendor:	oracle	model:	financial services retail customer analytics	scope:	eq	version:	8.0	Trust: 2.1
vendor:	oracle	model:	financial services profitability management	scope:	eq	version:	8.0.5	Trust: 2.1
vendor:	oracle	model:	financial services profitability management	scope:	eq	version:	8.0.4	Trust: 2.1
vendor:	oracle	model:	financial services profitability management	scope:	eq	version:	8.0.3	Trust: 2.1
vendor:	oracle	model:	financial services profitability management	scope:	eq	version:	8.0.2	Trust: 2.1
vendor:	oracle	model:	financial services profitability management	scope:	eq	version:	8.0.1	Trust: 2.1
vendor:	oracle	model:	financial services profitability management	scope:	eq	version:	6.1.1	Trust: 2.1
vendor:	oracle	model:	financial services profitability management	scope:	eq	version:	6.1	Trust: 2.1
vendor:	oracle	model:	financial services profitability management	scope:	eq	version:	6.0	Trust: 2.1
vendor:	oracle	model:	financial services pricing management	scope:	eq	version:	8.0.5	Trust: 2.1
vendor:	oracle	model:	financial services pricing management	scope:	eq	version:	8.0.4	Trust: 2.1
vendor:	oracle	model:	financial services pricing management	scope:	eq	version:	8.0	Trust: 2.1
vendor:	oracle	model:	financial services price creation and discovery	scope:	eq	version:	8.0.5	Trust: 2.1
vendor:	oracle	model:	financial services price creation and discovery	scope:	eq	version:	8.0.4	Trust: 2.1
vendor:	oracle	model:	financial services price creation and discovery	scope:	eq	version:	8.0	Trust: 2.1
vendor:	oracle	model:	financial services loan loss forecasting and provisioning	scope:	eq	version:	8.0.5	Trust: 2.1
vendor:	oracle	model:	financial services loan loss forecasting and provisioning	scope:	eq	version:	8.0.4	Trust: 2.1
vendor:	oracle	model:	financial services loan loss forecasting and provisioning	scope:	eq	version:	8.0.3	Trust: 2.1
vendor:	oracle	model:	financial services loan loss forecasting and provisioning	scope:	eq	version:	8.0.2	Trust: 2.1
vendor:	oracle	model:	financial services loan loss forecasting and provisioning	scope:	eq	version:	8.0.1	Trust: 2.1
vendor:	oracle	model:	financial services loan loss forecasting and provisioning	scope:	eq	version:	1.5.1	Trust: 2.1
vendor:	oracle	model:	financial services loan loss forecasting and provisioning	scope:	eq	version:	1.5	Trust: 2.1
vendor:	oracle	model:	financial services liquidity risk management	scope:	eq	version:	8.0.4	Trust: 2.1
vendor:	oracle	model:	financial services liquidity risk management	scope:	eq	version:	8.0.2	Trust: 2.1
vendor:	oracle	model:	financial services liquidity risk management	scope:	eq	version:	8.0.1	Trust: 2.1
vendor:	oracle	model:	financial services institutional performance analytics	scope:	eq	version:	8.0.5	Trust: 2.1
vendor:	oracle	model:	financial services institutional performance analytics	scope:	eq	version:	8.0.4	Trust: 2.1
vendor:	oracle	model:	financial services institutional performance analytics	scope:	eq	version:	8.0.3	Trust: 2.1
vendor:	oracle	model:	financial services institutional performance analytics	scope:	eq	version:	8.0.2	Trust: 2.1
vendor:	oracle	model:	financial services institutional performance analytics	scope:	eq	version:	8.0.1	Trust: 2.1
vendor:	oracle	model:	financial services institutional performance analytics	scope:	eq	version:	8.0	Trust: 2.1
vendor:	oracle	model:	financial services icaap analytics	scope:	eq	version:	8.0	Trust: 2.1
vendor:	oracle	model:	financial services hedge management and ifrs valuations	scope:	eq	version:	8.0.5	Trust: 2.1
vendor:	oracle	model:	financial services hedge management and ifrs valuations	scope:	eq	version:	8.0.4	Trust: 2.1
vendor:	oracle	model:	financial services hedge management and ifrs valuations	scope:	eq	version:	8.0.3	Trust: 2.1
vendor:	oracle	model:	financial services hedge management and ifrs valuations	scope:	eq	version:	8.0.2	Trust: 2.1
vendor:	oracle	model:	financial services hedge management and ifrs valuations	scope:	eq	version:	8.0.1	Trust: 2.1
vendor:	oracle	model:	financial services hedge management and ifrs valuations	scope:	eq	version:	6.1.1	Trust: 2.1
vendor:	oracle	model:	financial services funds transfer pricing	scope:	eq	version:	8.0.5	Trust: 2.1
vendor:	oracle	model:	financial services funds transfer pricing	scope:	eq	version:	8.0.4	Trust: 2.1
vendor:	oracle	model:	financial services funds transfer pricing	scope:	eq	version:	8.0.3	Trust: 2.1
vendor:	oracle	model:	financial services funds transfer pricing	scope:	eq	version:	8.0.2	Trust: 2.1
vendor:	oracle	model:	financial services funds transfer pricing	scope:	eq	version:	8.0.1	Trust: 2.1
vendor:	oracle	model:	financial services funds transfer pricing	scope:	eq	version:	6.1.1	Trust: 2.1
vendor:	oracle	model:	financial services funds transfer pricing	scope:	eq	version:	6.1	Trust: 2.1
vendor:	oracle	model:	financial services funds transfer pricing	scope:	eq	version:	6.0	Trust: 2.1
vendor:	oracle	model:	financial services enterprise financial performance analytics	scope:	eq	version:	8.0.5	Trust: 2.1
vendor:	oracle	model:	financial services enterprise financial performance analytics	scope:	eq	version:	8.0.4	Trust: 2.1
vendor:	oracle	model:	financial services enterprise financial performance analytics	scope:	eq	version:	8.0.3	Trust: 2.1
vendor:	oracle	model:	financial services enterprise financial performance analytics	scope:	eq	version:	8.0.2	Trust: 2.1
vendor:	oracle	model:	financial services enterprise financial performance analytics	scope:	eq	version:	8.0.1	Trust: 2.1
vendor:	oracle	model:	financial services enterprise financial performance analytics	scope:	eq	version:	8.0	Trust: 2.1
vendor:	oracle	model:	financial services data integration hub	scope:	eq	version:	8.0.4	Trust: 2.1
vendor:	oracle	model:	financial services data integration hub	scope:	eq	version:	8.0.3	Trust: 2.1
vendor:	oracle	model:	financial services data integration hub	scope:	eq	version:	8.0.2	Trust: 2.1
vendor:	oracle	model:	financial services data integration hub	scope:	eq	version:	8.0.1	Trust: 2.1
vendor:	oracle	model:	financial services data foundation	scope:	eq	version:	8.0.5	Trust: 2.1
vendor:	oracle	model:	financial services data foundation	scope:	eq	version:	8.0.4	Trust: 2.1
vendor:	oracle	model:	financial services data foundation	scope:	eq	version:	8.0.3	Trust: 2.1
vendor:	oracle	model:	financial services data foundation	scope:	eq	version:	8.0.2	Trust: 2.1
vendor:	oracle	model:	financial services data foundation	scope:	eq	version:	8.0.1	Trust: 2.1
vendor:	oracle	model:	financial services data foundation	scope:	eq	version:	7.4	Trust: 2.1
vendor:	oracle	model:	financial services data foundation	scope:	eq	version:	7.3	Trust: 2.1
vendor:	oracle	model:	financial services basel regulatory capital internal ratings bas	scope:	eq	version:	8.0.4	Trust: 2.1
vendor:	oracle	model:	financial services basel regulatory capital internal ratings bas	scope:	eq	version:	8.0.3	Trust: 2.1
vendor:	oracle	model:	financial services basel regulatory capital internal ratings bas	scope:	eq	version:	8.0.2	Trust: 2.1
vendor:	oracle	model:	financial services basel regulatory capital internal ratings bas	scope:	eq	version:	8.0.1	Trust: 2.1
vendor:	oracle	model:	financial services basel regulatory capital basic	scope:	eq	version:	8.0.4	Trust: 2.1
vendor:	oracle	model:	financial services basel regulatory capital basic	scope:	eq	version:	8.0.3	Trust: 2.1
vendor:	oracle	model:	financial services basel regulatory capital basic	scope:	eq	version:	8.0.2	Trust: 2.1
vendor:	oracle	model:	financial services basel regulatory capital basic	scope:	eq	version:	8.0.1	Trust: 2.1
vendor:	oracle	model:	financial services asset liability management	scope:	eq	version:	8.0.5	Trust: 2.1
vendor:	oracle	model:	financial services asset liability management	scope:	eq	version:	8.0.4	Trust: 2.1
vendor:	oracle	model:	financial services asset liability management	scope:	eq	version:	8.0.3	Trust: 2.1
vendor:	oracle	model:	financial services asset liability management	scope:	eq	version:	8.0.2	Trust: 2.1
vendor:	oracle	model:	financial services asset liability management	scope:	eq	version:	8.0.1	Trust: 2.1
vendor:	oracle	model:	financial services asset liability management	scope:	eq	version:	6.1.1	Trust: 2.1
vendor:	oracle	model:	financial services asset liability management	scope:	eq	version:	6.1	Trust: 2.1
vendor:	oracle	model:	financial services asset liability management	scope:	eq	version:	6.0	Trust: 2.1
vendor:	oracle	model:	financial services analytical applications reconciliation	scope:	eq	version:	8.0.4	Trust: 2.1
vendor:	oracle	model:	financial services analytical applications reconciliation	scope:	eq	version:	8.0.3	Trust: 2.1
vendor:	oracle	model:	financial services analytical applications reconciliation	scope:	eq	version:	8.0.2	Trust: 2.1
vendor:	oracle	model:	financial services analytical applications reconciliation	scope:	eq	version:	8.0.1	Trust: 2.1
vendor:	oracle	model:	financial services analytical applications reconciliation	scope:	eq	version:	8.0	Trust: 2.1
vendor:	oracle	model:	financial services analytical applications reconciliation	scope:	eq	version:	3.5.1	Trust: 2.1
vendor:	oracle	model:	financial services analytical applications reconciliation	scope:	eq	version:	3.5	Trust: 2.1
vendor:	oracle	model:	financial services analytical applications infrastructure	scope:	eq	version:	7.3	Trust: 2.1
vendor:	oracle	model:	financial services analytical applications infrastructure	scope:	eq	version:	7.2	Trust: 2.1
vendor:	oracle	model:	communications policy management	scope:	eq	version:	12.1.1	Trust: 2.1
vendor:	oracle	model:	communications policy management	scope:	eq	version:	12.1	Trust: 2.1
vendor:	oracle	model:	communications policy management	scope:	eq	version:	11.5	Trust: 2.1
vendor:	oracle	model:	communications policy management	scope:	eq	version:	12.2	Trust: 2.1
vendor:	oracle	model:	siebel applications	scope:	eq	version:	16.1	Trust: 1.8
vendor:	apache	model:	struts	scope:	eq	version:	2.5.8	Trust: 1.8
vendor:	apache	model:	struts	scope:	eq	version:	2.5.7	Trust: 1.8
vendor:	apache	model:	struts	scope:	eq	version:	2.5.5	Trust: 1.8
vendor:	apache	model:	struts	scope:	eq	version:	2.5.2	Trust: 1.8
vendor:	apache	model:	struts	scope:	eq	version:	2.5.10	Trust: 1.8
vendor:	apache	model:	struts	scope:	eq	version:	2.5.1	Trust: 1.8
vendor:	apache	model:	struts	scope:	eq	version:	2.5	Trust: 1.8
vendor:	apache	model:	struts	scope:	eq	version:	2.3.31	Trust: 1.5
vendor:	apache	model:	struts	scope:	eq	version:	2.3.30	Trust: 1.5
vendor:	apache	model:	struts	scope:	eq	version:	2.3.28	Trust: 1.5
vendor:	apache	model:	struts	scope:	eq	version:	2.3.24	Trust: 1.5
vendor:	apache	model:	struts	scope:	eq	version:	2.3.8	Trust: 1.5
vendor:	apache	model:	struts	scope:	eq	version:	2.3.7	Trust: 1.5
vendor:	apache	model:	struts	scope:	eq	version:	2.3.32	Trust: 1.5
vendor:	apache	model:	struts	scope:	eq	version:	2.3.29	Trust: 1.5
vendor:	apache	model:	struts	scope:	eq	version:	2.3.20	Trust: 1.5
vendor:	apache	model:	struts	scope:	eq	version:	2.3.16	Trust: 1.5
vendor:	apache	model:	struts	scope:	eq	version:	2.3.15	Trust: 1.5
vendor:	cisco	model:	network performance analysis	scope:	eq	version:	0	Trust: 1.2
vendor:	cisco	model:	mxe series media experience engines	scope:	eq	version:	35000	Trust: 1.2
vendor:	cisco	model:	digital media manager	scope:	eq	version:	0	Trust: 1.2
vendor:	apache	model:	struts	scope:	eq	version:	2.5.9	Trust: 1.2
vendor:	apache	model:	struts	scope:	eq	version:	2.5.6	Trust: 1.2
vendor:	apache	model:	struts	scope:	eq	version:	2.5.4	Trust: 1.2
vendor:	apache	model:	struts	scope:	eq	version:	2.5.3	Trust: 1.2
vendor:	apache	model:	struts	scope:	eq	version:	2.3.33	Trust: 1.2
vendor:	apache	model:	struts	scope:	eq	version:	2.3.28.1	Trust: 1.2
vendor:	apache	model:	struts	scope:	eq	version:	2.3.24.3	Trust: 1.2
vendor:	apache	model:	struts	scope:	eq	version:	2.3.24.2	Trust: 1.2
vendor:	apache	model:	struts	scope:	eq	version:	2.3.24.1	Trust: 1.2
vendor:	apache	model:	struts	scope:	eq	version:	2.3.20.3	Trust: 1.2
vendor:	apache	model:	struts	scope:	eq	version:	2.3.20.2	Trust: 1.2
vendor:	apache	model:	struts	scope:	eq	version:	2.3.20.1	Trust: 1.2
vendor:	apache	model:	struts	scope:	eq	version:	2.3.16.3	Trust: 1.2
vendor:	apache	model:	struts	scope:	eq	version:	2.3.16.2	Trust: 1.2
vendor:	apache	model:	struts	scope:	eq	version:	2.3.16.1	Trust: 1.2
vendor:	apache	model:	struts	scope:	eq	version:	2.3.15.3	Trust: 1.2
vendor:	apache	model:	struts	scope:	eq	version:	2.3.15.2	Trust: 1.2
vendor:	apache	model:	struts	scope:	eq	version:	2.3.15.1	Trust: 1.2
vendor:	apache	model:	struts	scope:	eq	version:	2.3.14.3	Trust: 1.2
vendor:	apache	model:	struts	scope:	eq	version:	2.3.14.2	Trust: 1.2
vendor:	apache	model:	struts	scope:	eq	version:	2.3.14.1	Trust: 1.2
vendor:	apache	model:	struts	scope:	eq	version:	2.3.14	Trust: 1.2
vendor:	apache	model:	struts	scope:	ne	version:	2.3.34	Trust: 1.2
vendor:	apache	model:	struts	scope:	eq	version:	2.2.3	Trust: 1.2
vendor:	apache	model:	struts	scope:	eq	version:	2.1.8	Trust: 1.2
vendor:	apache	model:	struts	scope:	eq	version:	2.1.6	Trust: 1.2
vendor:	apache	model:	struts	scope:	eq	version:	2.1.5	Trust: 1.2
vendor:	apache	model:	struts	scope:	eq	version:	2.1.2	Trust: 1.2
vendor:	apache	model:	struts	scope:	eq	version:	2.1.4	Trust: 1.2
vendor:	apache	model:	struts	scope:	eq	version:	2.1.3	Trust: 1.2
vendor:	apache	model:	struts	scope:	gte	version:	2.1.2	Trust: 1.0
vendor:	cisco	model:	hosted collaboration solution	scope:	eq	version:	11.0\(1\)	Trust: 1.0
vendor:	apache	model:	struts	scope:	lt	version:	2.3.34	Trust: 1.0
vendor:	cisco	model:	video distribution suite for internet streaming	scope:	eq	version:	-	Trust: 1.0
vendor:	cisco	model:	digital media manager	scope:	eq	version:	-	Trust: 1.0
vendor:	cisco	model:	network performance analysis	scope:	eq	version:	-	Trust: 1.0
vendor:	cisco	model:	media experience engine	scope:	eq	version:	3.5	Trust: 1.0
vendor:	cisco	model:	media experience engine	scope:	eq	version:	3.5.2	Trust: 1.0
vendor:	apache	model:	struts	scope:	lt	version:	2.5.13	Trust: 1.0
vendor:	cisco	model:	hosted collaboration solution	scope:	eq	version:	10.5\(1\)	Trust: 1.0
vendor:	cisco	model:	hosted collaboration solution	scope:	eq	version:	11.6\(1\)	Trust: 1.0
vendor:	cisco	model:	hosted collaboration solution	scope:	eq	version:	11.5\(1\)	Trust: 1.0
vendor:	netapp	model:	oncommand balance	scope:	eq	version:	-	Trust: 1.0
vendor:	apache	model:	struts	scope:	gte	version:	2.5.0	Trust: 1.0
vendor:	apache	model:	struts	scope:	eq	version:	2.5.10.1	Trust: 0.9
vendor:	apache	model:	struts	scope:	ne	version:	2.5.12	Trust: 0.9
vendor:	apache	model:	struts	scope:	eq	version:	2.3.5	Trust: 0.9
vendor:	apache	model:	struts	scope:	eq	version:	2.3.4	Trust: 0.9
vendor:	apache	model:	struts	scope:	eq	version:	2.3.1	Trust: 0.9
vendor:	cisco	model:	video distribution suite for internet streaming	scope:	eq	version:	0	Trust: 0.9
vendor:	cisco	model:	unified intelligent contact management enterprise	scope:	eq	version:	0	Trust: 0.9
vendor:	cisco	model:	unified contact center enterprise	scope:	eq	version:	0	Trust: 0.9
vendor:	cisco	model:	hosted collaboration solution for contact center	scope:	eq	version:	0	Trust: 0.9
vendor:	apache	model:	struts	scope:	eq	version:	2.5.12	Trust: 0.9
vendor:	apache	model:	struts	scope:	eq	version:	2.5.11	Trust: 0.9
vendor:	apache	model:	struts	scope:	ne	version:	2.5.13	Trust: 0.9
vendor:	apache struts	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	apache	model:	struts	scope:	lte	version:	2.1.2 from 2.3.33	Trust: 0.8
vendor:	apache	model:	struts	scope:	lte	version:	2.5 from 2.5.12	Trust: 0.8
vendor:	apache	model:	struts	scope:	eq	version:	2.3.41	Trust: 0.6
vendor:	apache	model:	struts	scope:	eq	version:	2.2.11	Trust: 0.6
vendor:	apache	model:	struts	scope:	eq	version:	2.2	Trust: 0.6
vendor:	apache	model:	struts	scope:	eq	version:	2.1.1	Trust: 0.6
vendor:	apache	model:	struts	scope:	eq	version:	2.3.1.2	Trust: 0.6
vendor:	apache	model:	struts	scope:	eq	version:	2.3.1.1	Trust: 0.6
vendor:	apache	model:	struts	scope:	eq	version:	2.2.3.1	Trust: 0.6
vendor:	apache	model:	struts	scope:	eq	version:	2.2.1	Trust: 0.6
vendor:	apache	model:	struts	scope:	eq	version:	2.1.8.1	Trust: 0.6
vendor:	apache	model:	struts	scope:	eq	version:	2.2.1.1	Trust: 0.6
vendor:	xstream	model:	xstream	scope:	eq	version:	0	Trust: 0.3
vendor:	oracle	model:	siebel applications	scope:	eq	version:	6.1	Trust: 0.3
vendor:	oracle	model:	flexcube private banking	scope:	eq	version:	2.1	Trust: 0.3
vendor:	oracle	model:	flexcube private banking	scope:	eq	version:	2.0	Trust: 0.3
vendor:	apache	model:	struts	scope:	eq	version:	2.0.12	Trust: 0.3
vendor:	apache	model:	struts	scope:	eq	version:	2.0.10	Trust: 0.3
vendor:	apache	model:	struts	scope:	eq	version:	2.0	Trust: 0.3
vendor:	apache	model:	struts	scope:	eq	version:	2.0.2	Trust: 0.3
vendor:	apache	model:	struts	scope:	eq	version:	2.0.8	Trust: 0.3
vendor:	apache	model:	struts	scope:	eq	version:	2.0.1	Trust: 0.3
vendor:	cisco	model:	video distribution suite for internet streaming vds-is	scope:	eq	version:	0	Trust: 0.3
vendor:	apache	model:	struts	scope:	eq	version:	2.0.4	Trust: 0.3
vendor:	apache	model:	struts	scope:	eq	version:	2.0.3	Trust: 0.3
vendor:	apache	model:	struts	scope:	eq	version:	2.0.13	Trust: 0.3
vendor:	apache	model:	struts	scope:	eq	version:	2.0.11	Trust: 0.3
vendor:	apache	model:	struts	scope:	eq	version:	2.0.6	Trust: 0.3
vendor:	apache	model:	struts	scope:	eq	version:	2.1	Trust: 0.3
vendor:	apache	model:	struts	scope:	eq	version:	2.0.7	Trust: 0.3
vendor:	apache	model:	struts	scope:	eq	version:	2.0.5	Trust: 0.3
vendor:	apache	model:	struts	scope:	eq	version:	2.0.14	Trust: 0.3
vendor:	apache	model:	struts	scope:	eq	version:	2.0.9	Trust: 0.3

sources: CERT/CC: VU#112992 // BID: 99562 // BID: 99563 // BID: 99484 // BID: 100612 // BID: 100611 // BID: 100609 // BID: 100829 // JVNDB: JVNDB-2017-006931 // CNNVD: CNNVD-201706-914 // NVD: CVE-2017-9805

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-9805
value:	HIGH
Trust: 1.0
NVD:	CVE-2017-9805
value:	HIGH
Trust: 0.8
IPA:	JVNDB-2017-006931
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201706-914
value:	HIGH
Trust: 0.6
VULMON:	CVE-2017-9805
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2017-9805
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
NVD:	CVE-2017-9805
severity:	HIGH
baseScore:	10.0
vectorString:	NONE
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
IPA:	JVNDB-2017-006931
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8

nvd@nist.gov:	CVE-2017-9805
baseSeverity:	HIGH
baseScore:	8.1
vectorString:	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.2
impactScore:	5.9
version:	3.1
Trust: 1.0
IPA:	JVNDB-2017-006931
baseSeverity:	HIGH
baseScore:	7.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	LOW
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CERT/CC: VU#112992 // VULMON: CVE-2017-9805 // JVNDB: JVNDB-2017-006931 // CNNVD: CNNVD-201706-914 // NVD: CVE-2017-9805

PROBLEMTYPE DATA

problemtype:

CWE-502

Trust: 1.0

sources: NVD: CVE-2017-9805

THREAT TYPE

network

Trust: 2.1

sources: BID: 99562 // BID: 99563 // BID: 99484 // BID: 100612 // BID: 100611 // BID: 100609 // BID: 100829

TYPE

Failure to Handle Exceptional Conditions

Trust: 1.2

sources: BID: 99562 // BID: 99563 // BID: 100612 // BID: 100611

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-006931

EXPLOIT AVAILABILITY

sources: CERT/CC: VU#112992 // VULMON: CVE-2017-9805

PATCH

title:	Announcements - 05 September 2017 - Struts 2.5.13 General Availability	url:	https://struts.apache.org/announce.html	Trust: 0.8
title:	S2-050: A regular expression Denial of Service when using URLValidator (similar to S2-044 & S2-047)	url:	https://struts.apache.org/docs/s2-050.html	Trust: 0.8
title:	S2-051: A remote attacker may create a DoS attack by sending crafted xml request when using the Struts REST plugin	url:	https://struts.apache.org/docs/s2-051.html	Trust: 0.8
title:	S2-052: Possible Remote Code Execution attack when using the Struts REST plugin with XStream handler to handle XML payloads	url:	https://cwiki.apache.org/confluence/display/WW/S2-052	Trust: 0.8
title:	Apache Struts REST plugin Fixes for code issue vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=96764	Trust: 0.6
title:	Red Hat: CVE-2017-9805	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database&qid=CVE-2017-9805	Trust: 0.1
title:	Cisco: Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products: September 2017	url:	https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-20170907-struts2	Trust: 0.1
title:	Brocade Security Advisories: BSA-2017-427	url:	https://vulmon.com/vendoradvisory?qidtp=brocade_security_advisories&qid=a001b1600f58e0e70253dc5b53eaa134	Trust: 0.1
title:	Oracle: Oracle Security Alert Advisory - CVE-2017-9805	url:	https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=6b1cb2cef1b849b4466dd22ab18f80c9	Trust: 0.1
title:	Oracle: Oracle Critical Patch Update Advisory - October 2017	url:	https://vulmon.com/vendoradvisory?qidtp=oracle_advisories&qid=523d3f220a64ff01dd95e064bd37566a	Trust: 0.1
title:	S2-052	url:	https://github.com/iBearcat/S2-052	Trust: 0.1

sources: VULMON: CVE-2017-9805 // JVNDB: JVNDB-2017-006931 // CNNVD: CNNVD-201706-914

EXTERNAL IDS

db:	NVD	id:	CVE-2017-9805	Trust: 5.4
db:	CERT/CC	id:	VU#112992	Trust: 3.5
db:	BID	id:	100609	Trust: 1.9
db:	SECTRACK	id:	1039263	Trust: 1.6
db:	EXPLOIT-DB	id:	42627	Trust: 1.6
db:	JVN	id:	JVNVU92761484	Trust: 0.8
db:	JVNDB	id:	JVNDB-2017-006931	Trust: 0.8
db:	CNNVD	id:	CNNVD-201706-914	Trust: 0.6
db:	BID	id:	99562	Trust: 0.3
db:	BID	id:	99563	Trust: 0.3
db:	BID	id:	99484	Trust: 0.3
db:	BID	id:	100612	Trust: 0.3
db:	BID	id:	100611	Trust: 0.3
db:	BID	id:	100829	Trust: 0.3
db:	VULMON	id:	CVE-2017-9805	Trust: 0.1

sources: CERT/CC: VU#112992 // VULMON: CVE-2017-9805 // BID: 99562 // BID: 99563 // BID: 99484 // BID: 100612 // BID: 100611 // BID: 100609 // BID: 100829 // JVNDB: JVNDB-2017-006931 // CNNVD: CNNVD-201706-914 // NVD: CVE-2017-9805

REFERENCES

url:	https://struts.apache.org/docs/s2-052.html	Trust: 2.7
url:	https://www.kb.cert.org/vuls/id/112992	Trust: 2.7
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20170907-struts2	Trust: 2.5
url:	https://lgtm.com/blog/apache_struts_cve-2017-9805	Trust: 2.4
url:	http://struts.apache.org/	Trust: 2.1
url:	http://www.oracle.com/technetwork/security-advisory/cve-2017-9805-products-3905487.html	Trust: 2.1
url:	https://bugzilla.redhat.com/show_bug.cgi?id=1488482	Trust: 1.9
url:	http://www.securitytracker.com/id/1039263	Trust: 1.6
url:	https://security.netapp.com/advisory/ntap-20170907-0001/	Trust: 1.6
url:	http://www.securityfocus.com/bid/100609	Trust: 1.6
url:	https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax	Trust: 1.6
url:	http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html	Trust: 1.6
url:	https://www.exploit-db.com/exploits/42627/	Trust: 1.6
url:	https://cwiki.apache.org/confluence/display/ww/s2-052	Trust: 1.6
url:	http://httpd.apache.org/	Trust: 1.2
url:	https://cwe.mitre.org/data/definitions/502.html	Trust: 0.8
url:	https://github.com/rapid7/metasploit-framework/pull/8924/files	Trust: 0.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-9805	Trust: 0.8
url:	https://www.jpcert.or.jp/at/2017/at170033.html	Trust: 0.8
url:	http://jvn.jp/vu/jvnvu92761484/index.html	Trust: 0.8
url:	http://www.apache.org/	Trust: 0.6
url:	http://struts.apache.org/docs/s2-049.html	Trust: 0.3
url:	http://struts.apache.org/docs/s2-047.html	Trust: 0.3
url:	http://struts.apache.org/announce.html#a20170707	Trust: 0.3
url:	http://struts.apache.org/docs/s2-048.html	Trust: 0.3
url:	https://bugzilla.redhat.com/show_bug.cgi?id=1488491	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2017-9804	Trust: 0.3
url:	https://struts.apache.org/docs/s2-050.html	Trust: 0.3
url:	https://struts.apache.org/docs/s2-051.html	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2017-9793	Trust: 0.3
url:	https://bugzilla.redhat.com/show_bug.cgi?id=1488481	Trust: 0.3
url:	https://lgtm.com/blog/apache_struts_cve-2017-9805_announcement	Trust: 0.3
url:	https://struts.apache.org/docs/version-notes-2513.html	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2017-9805	Trust: 0.3
url:	https://struts.apache.org/docs/s2-053.html	Trust: 0.3
url:	https://tools.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-20170909-struts2-rce	Trust: 0.3
url:	https://access.redhat.com/security/cve/cve-2017-12611	Trust: 0.3

CREDITS

Yasser Zamani

Trust: 0.3

sources: BID: 99562

SOURCES

db:	CERT/CC	id:	VU#112992
db:	VULMON	id:	CVE-2017-9805
db:	BID	id:	99562
db:	BID	id:	99563
db:	BID	id:	99484
db:	BID	id:	100612
db:	BID	id:	100611
db:	BID	id:	100609
db:	BID	id:	100829
db:	JVNDB	id:	JVNDB-2017-006931
db:	CNNVD	id:	CNNVD-201706-914
db:	NVD	id:	CVE-2017-9805

LAST UPDATE DATE

2024-09-09T22:52:27.398000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#112992	date:	2017-09-06T00:00:00
db:	VULMON	id:	CVE-2017-9805	date:	2019-08-12T00:00:00
db:	BID	id:	99562	date:	2017-09-27T15:00:00
db:	BID	id:	99563	date:	2017-09-27T15:00:00
db:	BID	id:	99484	date:	2017-09-27T15:00:00
db:	BID	id:	100612	date:	2017-09-27T15:00:00
db:	BID	id:	100611	date:	2017-09-27T15:00:00
db:	BID	id:	100609	date:	2017-09-27T10:00:00
db:	BID	id:	100829	date:	2017-09-27T15:00:00
db:	JVNDB	id:	JVNDB-2017-006931	date:	2017-09-08T00:00:00
db:	CNNVD	id:	CNNVD-201706-914	date:	2019-08-15T00:00:00
db:	NVD	id:	CVE-2017-9805	date:	2024-07-25T13:40:54.857

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#112992	date:	2017-09-06T00:00:00
db:	VULMON	id:	CVE-2017-9805	date:	2017-09-15T00:00:00
db:	BID	id:	99562	date:	2017-07-13T00:00:00
db:	BID	id:	99563	date:	2017-07-13T00:00:00
db:	BID	id:	99484	date:	2017-07-07T00:00:00
db:	BID	id:	100612	date:	2017-09-05T00:00:00
db:	BID	id:	100611	date:	2017-09-05T00:00:00
db:	BID	id:	100609	date:	2017-09-05T00:00:00
db:	BID	id:	100829	date:	2017-09-07T00:00:00
db:	JVNDB	id:	JVNDB-2017-006931	date:	2017-09-07T00:00:00
db:	CNNVD	id:	CNNVD-201706-914	date:	2017-06-22T00:00:00
db:	NVD	id:	CVE-2017-9805	date:	2017-09-15T19:29:00.237