CVE-2017-9791 — CRITICAL (9.8)

Vulnerability Description

The Struts 1 plugin in Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Apache	Struts	2.3.1

Related Weaknesses (CWE)

CWE-20

References

http://struts.apache.org/docs/s2-048.htmlMitigationVendor Advisory
http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.PatchThird Party Advisory
http://www.securityfocus.com/bid/99484Third Party AdvisoryVDB EntryBroken Link
http://www.securitytracker.com/id/1038838Third Party AdvisoryVDB EntryBroken Link
https://security.netapp.com/advisory/ntap-20180706-0002/Third Party Advisory
https://www.exploit-db.com/exploits/42324/Third Party AdvisoryVDB Entry
https://www.exploit-db.com/exploits/44643/Third Party AdvisoryVDB Entry
http://struts.apache.org/docs/s2-048.htmlMitigationVendor Advisory
http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.PatchThird Party Advisory
http://www.securityfocus.com/bid/99484Third Party AdvisoryVDB EntryBroken Link
http://www.securitytracker.com/id/1038838Third Party AdvisoryVDB EntryBroken Link
https://security.netapp.com/advisory/ntap-20180706-0002/Third Party Advisory
https://www.exploit-db.com/exploits/42324/Third Party AdvisoryVDB Entry
https://www.exploit-db.com/exploits/44643/Third Party AdvisoryVDB Entry
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-US Government Resource

FAQ

What is CVE-2017-9791?

CVE-2017-9791 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The Struts 1 plugin in Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.

How severe is CVE-2017-9791?

CVE-2017-9791 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2017-9791?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Struts.