Vulnerability Change Records for CVE-2017-9805

Change History

CVE Modified by Apache Software Foundation 9/27/2017 9:29:04 PM

Action Type Old Value New Value
Added Reference

								
							
							
						
http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html [No Types Assigned]

CVE Modified by Apache Software Foundation 9/21/2017 9:29:25 PM

Action Type Old Value New Value
Added Reference

								
							
							
						
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2 [No Types Assigned]

CVE Modified by Apache Software Foundation 11/09/2017 9:29:20 PM

Action Type Old Value New Value
Added Reference

								
							
							
						
https://security.netapp.com/advisory/ntap-20170907-0001/ [No Types Assigned]

CVE Modified by Apache Software Foundation 9/16/2017 9:29:06 PM

Action Type Old Value New Value
Added Reference

								
							
							
						
http://www.securityfocus.com/bid/100609 [No Types Assigned]
Added Reference

								
							
							
						
http://www.securitytracker.com/id/1039263 [No Types Assigned]
Added Reference

								
							
							
						
https://www.exploit-db.com/exploits/42627/ [No Types Assigned]

CVE Modified by Apache Software Foundation 10/30/2017 9:29:03 PM

Action Type Old Value New Value
Added Reference

								
							
							
						
https://lgtm.com/blog/apache_struts_CVE-2017-9805 [No Types Assigned]
Added Reference

								
							
							
						
https://www.kb.cert.org/vuls/id/112992 [No Types Assigned]

Initial Analysis 9/29/2017 9:26:37 AM

Action Type Old Value New Value
Added CPE Configuration

								
							
							
						
OR
     *cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.1.3:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.1.4:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.1.5:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.1.6:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.1.8:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.1.8.1:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.2.1:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.2.1.1:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.2.3:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.2.3.1:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.3.1.1:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.3.1.2:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.3.3:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.3.4:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.3.4.1:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.3.20.3:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.3.24:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.3.24.1:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.3.24.3:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.3.28:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.3.28.1:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.3.29:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.3.30:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.3.31:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.3.32:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.3.33:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.3.34:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.5.1:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.5.2:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.5.3:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.5.4:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.5.5:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.5.6:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.5.7:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.5.8:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.5.9:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.5.10:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.5.10.1:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.5.11:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.5.12:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.5.13:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.5.14:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.5.15:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.5.16:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.5.17:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.5.18:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.5.19:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.5.20:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.5.21:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.5.22:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.5.23:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.5.24:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.5.25:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.5.26:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.5.27:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.5.28:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.5.29:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.5.30:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.5.31:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.5.32:*:*:*:*:*:*:*
     *cpe:2.3:a:apache:struts:2.5.33:*:*:*:*:*:*:*
Added CVSS V2

								
							
							
						
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
Added CVSS V3

								
							
							
						
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Added CWE

								
							
							
						
CWE-502
Changed Reference Type
http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html No Types Assigned
http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html Third Party Advisory
Changed Reference Type
http://www.securityfocus.com/bid/100609 No Types Assigned
http://www.securityfocus.com/bid/100609 Third Party Advisory, VDB Entry
Changed Reference Type
http://www.securitytracker.com/id/1039263 No Types Assigned
http://www.securitytracker.com/id/1039263 Third Party Advisory, VDB Entry
Changed Reference Type
https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax No Types Assigned
https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax Vendor Advisory
Changed Reference Type
https://bugzilla.redhat.com/show_bug.cgi?id=1488482 No Types Assigned
https://bugzilla.redhat.com/show_bug.cgi?id=1488482 Issue Tracking, Third Party Advisory, VDB Entry
Changed Reference Type
https://cwiki.apache.org/confluence/display/WW/S2-052 No Types Assigned
https://cwiki.apache.org/confluence/display/WW/S2-052 Mitigation, Vendor Advisory
Changed Reference Type
https://struts.apache.org/docs/s2-052.html No Types Assigned
https://struts.apache.org/docs/s2-052.html Vendor Advisory
Changed Reference Type
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2 No Types Assigned
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2 Third Party Advisory
Changed Reference Type
https://www.exploit-db.com/exploits/42627/ No Types Assigned
https://www.exploit-db.com/exploits/42627/ Third Party Advisory, VDB Entry

CVE Modified by Apache Software Foundation 8/12/2019 5:15:15 PM

Action Type Old Value New Value
Changed Description
The REST Plugin in Apache Struts 2.1.2 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.
The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.