⚠ Actively exploited

Added to CISA KEV on 2022-02-10. Federal agencies required to patch by 2022-08-10. Required action: Apply updates per vendor instructions..

CVE-2017-9791

CWE-20 — Improper Input Validation18 documents13 sources

Severity

9.8CRITICAL

EPSS

94.2%

top 0.07%

CISA KEV

KEV

Added 2022-02-10

Due 2022-08-10

Exploit

Exploited in wild

Active exploitation observed

Affected products

Apache Software Foundation Apache Struts Apache Struts

Timeline

PublishedJul 10

KEV addedFeb 10

Latest updateMay 13

KEV dueAug 10

CISA Required Action: Apply updates per vendor instructions.

Description

The Struts 1 plugin in Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶Mavenorg.apache.struts:struts2-struts1-plugin2.3.37

▶NVDapache/struts33 versions+32

▶CVEListV5apache_software_foundation/apache_struts2.1.x series, 2.3.x series+1

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

Code execution in Apache Struts 1 plugin↗2022-05-13

▶

GHSA

Code execution in Apache Struts 1 plugin↗2022-05-13

▶

CVEList

CVE-2017-9791: The Struts 1 plugin in Apache Struts 2↗2017-07-10

▶

VulnCheck

Apache Struts 1 Improper Input Validation Vulnerability↗2017

▶

💥Exploits & PoCs

Exploit-DB

Apache Struts 2 - Struts 1 Plugin Showcase OGNL Code Execution (Metasploit)↗2018-05-17

▶

Exploit-DB

Apache Struts 2.3.x Showcase - Remote Code Execution↗2017-07-07

▶

Nuclei

Apache Struts2 S2-053 - Remote Code Execution

▶

🔍Detection Rules

Suricata

ET WEB_SPECIFIC_APPS OGNL Expression Injection (CVE-2017-9791)↗2017-07-14

▶

📋Vendor Advisories

CISA

Apache Struts 1 Improper Input Validation Vulnerability↗2022-02-10

▶

Red Hat

struts2: Possible RCE via a malicious field value passed in a raw message to the ActionMessage↗2017-07-07

▶