{"id":"CVE-2017-9793","details":"The REST Plugin in Apache Struts 2.1.x, 2.3.7 through 2.3.33 and 2.5 through 2.5.12 is using an outdated XStream library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted XML payload.","aliases":["GHSA-vwxj-6m5m-rrvh"],"modified":"2026-04-10T04:02:44.390600Z","published":"2017-09-20T17:29:00.573Z","references":[{"type":"ADVISORY","url":"http://www.brocade.com/content/dam/common/documents/content-types/security-bulletin/brocade-security-advisory-2017-429.htm"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/100611"},{"type":"ADVISORY","url":"http://www.securitytracker.com/id/1039262"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20180629-0001/"},{"type":"ADVISORY","url":"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2"},{"type":"FIX","url":"http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html"},{"type":"FIX","url":"https://struts.apache.org/docs/s2-051.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/struts","events":[{"introduced":"0"},{"last_affected":"28297863aee4d747638ce5b6f22262ac6a118ae0"},{"introduced":"0"},{"last_affected":"b2fe62824eebd213625d23378b5307dcb1b82c77"},{"introduced":"0"},{"last_affected":"bef7211c41e7b0df9ff2740c0d4843f5b7a43266"},{"introduced":"0"},{"last_affected":"f706c2fb2f48cba9bdb67e0ab806eb3cdeba25aa"},{"introduced":"0"},{"last_affected":"95814f0fa018ee284fb2c79710681a63dc5ee705"},{"introduced":"0"},{"last_affected":"f15f28a1766fe991de85c8cd089b102f77915319"},{"introduced":"0"},{"last_affected":"6d3be1df385939526545714435f6c16fa3dc3d94"},{"introduced":"0"},{"last_affected":"9df00b0a864fac2e763b7c26ba99af057202f0f3"},{"introduced":"0"},{"last_affected":"fc3df96990bafdecc6f3a89cf7a4dcf15066c687"},{"introduced":"0"},{"last_affected":"f0c159d871ee741e0cc74fe858cc7be79841078c"},{"introduced":"0"},{"last_affected":"a72c1f4262a57bfe2819c6def81620d02d7867fb"},{"introduced":"0"},{"last_affected":"bc6094eece7dfa65e7439cd018d58e85c5d41e47"},{"introduced":"0"},{"last_affected":"8931ac19ea504a167f4d0c8e57ccc8f7f09f4135"},{"introduced":"0"},{"last_affected":"fd206c1386cc113e3f5b52fbc5b2f15a458b31b4"},{"introduced":"0"},{"last_affected":"3565f4d4f5c4c85a1ffab9e6169c86527aa6f4c7"},{"introduced":"0"},{"last_affected":"402374de33146e1c0401a247e0779e290cb0c078"},{"introduced":"0"},{"last_affected":"6cddee6fc539429544b28a96361a8af7a0691108"},{"introduced":"0"},{"last_affected":"7dd83dff485d324980f3d22c726cfd969ecf41f8"},{"introduced":"0"},{"last_affected":"e03ff728618f5bf551083fc3a52d43c07434bbc9"},{"introduced":"0"},{"last_affected":"7908a88a405458869f61ecff4b775429724a3ea4"},{"introduced":"0"},{"last_affected":"0032390ee89749c8dc55ac76f44900697aa0c713"},{"introduced":"0"},{"last_affected":"0320310406f6b11cfd235d7a9b866cf1de483a1e"},{"introduced":"0"},{"last_affected":"a9974eec5689a7113a6fb1e2096252f0935064dd"},{"introduced":"0"},{"last_affected":"d793648069386ce90fc9eae31e119de1a675f15a"},{"introduced":"0"},{"last_affected":"a40e9a90bf8b5039728ff312852991e7d580bff4"},{"introduced":"0"},{"last_affected":"22573f8de8b33ead0fee88eb67817985464218bb"},{"introduced":"0"},{"last_affected":"d469fffed912764f7af2da861319815d088a66e8"},{"introduced":"0"},{"last_affected":"a6e72347d2179a6d1a84acc0db54615c6f4b274c"},{"introduced":"0"},{"last_affected":"36b6fff05cd4a17f75b091c0edd52e0c1e65ec06"},{"introduced":"0"},{"last_affected":"8ca0f2fc464f592fa95d8435d0924c3b9da981ef"},{"introduced":"0"},{"last_affected":"013077abcb8d450d7313fb9fc766fe45f0b6f9c5"},{"introduced":"0"},{"last_affected":"8a59ed02c958db9213f0e54d816882a902891761"},{"introduced":"0"},{"last_affected":"0ac8932aa3a1b28a8f950863c17165cdc63b1474"},{"introduced":"0"},{"last_affected":"2cf0a7efeb12c8f476e31324dc56456b340ddeab"},{"introduced":"0"},{"last_affected":"bb22c585b5b52967fab033dba02cd244cd5b5b7a"},{"introduced":"0"},{"last_affected":"5c61c9a5752109a00ccdadbce3d4adb681f82c9a"},{"introduced":"0"},{"last_affected":"de90290354a1c6c819687305e053232bc8a4a697"},{"introduced":"0"},{"last_affected":"1ed29d508fc0a3762ad7d16336a71adcf69bd88d"},{"introduced":"0"},{"last_affected":"631ce98d171b1c7adb680b41a0303c61a81678fd"},{"introduced":"0"},{"last_affected":"4bee55fee30086c786d09503125a2b1c2ae8dcfa"},{"introduced":"0"},{"last_affected":"2a37a2e32db6d6905de48e04f71d995f41055827"},{"introduced":"0"},{"last_affected":"56ae397d75430dc63fd68b0bfb36afbac1226023"},{"introduced":"0"},{"last_affected":"9a63e6504b2d246573ff1483d45d9b12a49aa9c6"},{"introduced":"0"},{"last_affected":"e8aa825f21fc951418f0cfa770d32762a4a83664"},{"introduced":"0"},{"last_affected":"17e14ef42bcf1182c2985f2a25543cf4e88235e2"},{"introduced":"0"},{"last_affected":"c6a0ea2dcd6ea94bf551ed200955724013c34d3b"},{"introduced":"0"},{"last_affected":"12cc861875665e19c9d72a131f606a9b855b5c80"},{"introduced":"0"},{"last_affected":"f2348e53cbdf8ad7d9c28c66dc6fefe2c5718636"},{"introduced":"0"},{"last_affected":"31a0768da35bb762db93e7931cadb8552f206a56"},{"introduced":"0"},{"last_affected":"5054ff469a416a1fd1331389e48aca6d22eef28f"},{"introduced":"0"},{"last_affected":"4281e31864e0f2e0bffc0e537dc9c6e40604aec0"},{"introduced":"0"},{"last_affected":"ee27b6604a6e703ab5e802afa93ac43915d4373f"},{"introduced":"0"},{"last_affected":"f0f4e9ece77000e0eb0071bf233ed4b9bc9c8205"},{"introduced":"0"},{"last_affected":"376a891aeed6157d5621f9a9101d91be60f57b01"},{"introduced":"0"},{"last_affected":"ee74aea445883ff5ee235190722aa0fb04640a2e"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.3.7"},{"introduced":"0"},{"last_affected":"2.3.8"},{"introduced":"0"},{"last_affected":"2.3.9"},{"introduced":"0"},{"last_affected":"2.3.10"},{"introduced":"0"},{"last_affected":"2.3.11"},{"introduced":"0"},{"last_affected":"2.3.12"},{"introduced":"0"},{"last_affected":"2.3.13"},{"introduced":"0"},{"last_affected":"2.3.14"},{"introduced":"0"},{"last_affected":"2.3.14.1"},{"introduced":"0"},{"last_affected":"2.3.14.2"},{"introduced":"0"},{"last_affected":"2.3.14.3"},{"introduced":"0"},{"last_affected":"2.3.15"},{"introduced":"0"},{"last_affected":"2.3.15.1"},{"introduced":"0"},{"last_affected":"2.3.15.2"},{"introduced":"0"},{"last_affected":"2.3.15.3"},{"introduced":"0"},{"last_affected":"2.3.16"},{"introduced":"0"},{"last_affected":"2.3.16.1"},{"introduced":"0"},{"last_affected":"2.3.16.2"},{"introduced":"0"},{"last_affected":"2.3.16.3"},{"introduced":"0"},{"last_affected":"2.3.17"},{"introduced":"0"},{"last_affected":"2.3.19"},{"introduced":"0"},{"last_affected":"2.3.20"},{"introduced":"0"},{"last_affected":"2.3.20.1"},{"introduced":"0"},{"last_affected":"2.3.20.2"},{"introduced":"0"},{"last_affected":"2.3.21"},{"introduced":"0"},{"last_affected":"2.3.22"},{"introduced":"0"},{"last_affected":"2.3.23"},{"introduced":"0"},{"last_affected":"2.3.24.2"},{"introduced":"0"},{"last_affected":"2.3.24.3"},{"introduced":"0"},{"last_affected":"2.3.25"},{"introduced":"0"},{"last_affected":"2.3.26"},{"introduced":"0"},{"last_affected":"2.3.27"},{"introduced":"0"},{"last_affected":"2.3.28"},{"introduced":"0"},{"last_affected":"2.3.28.1"},{"introduced":"0"},{"last_affected":"2.3.29"},{"introduced":"0"},{"last_affected":"2.3.30"},{"introduced":"0"},{"last_affected":"2.3.31"},{"introduced":"0"},{"last_affected":"2.3.32"},{"introduced":"0"},{"last_affected":"2.3.33"},{"introduced":"0"},{"last_affected":"2.5"},{"introduced":"0"},{"last_affected":"2.5-beta1"},{"introduced":"0"},{"last_affected":"2.5-beta2"},{"introduced":"0"},{"last_affected":"2.5-beta3"},{"introduced":"0"},{"last_affected":"2.5.1"},{"introduced":"0"},{"last_affected":"2.5.2"},{"introduced":"0"},{"last_affected":"2.5.3"},{"introduced":"0"},{"last_affected":"2.5.4"},{"introduced":"0"},{"last_affected":"2.5.5"},{"introduced":"0"},{"last_affected":"2.5.6"},{"introduced":"0"},{"last_affected":"2.5.7"},{"introduced":"0"},{"last_affected":"2.5.8"},{"introduced":"0"},{"last_affected":"2.5.9"},{"introduced":"0"},{"last_affected":"2.5.10"},{"introduced":"0"},{"last_affected":"2.5.10.1"},{"introduced":"0"},{"last_affected":"2.5.12"}]}}],"versions":["STRUTS_2_3_10","STRUTS_2_3_11","STRUTS_2_3_12","STRUTS_2_3_13","STRUTS_2_3_14","STRUTS_2_3_14_1","STRUTS_2_3_14_2","STRUTS_2_3_14_3","STRUTS_2_3_15","STRUTS_2_3_15_1","STRUTS_2_3_15_2","STRUTS_2_3_15_3","STRUTS_2_3_16","STRUTS_2_3_16_1","STRUTS_2_3_16_2","STRUTS_2_3_16_3","STRUTS_2_3_17","STRUTS_2_3_19","STRUTS_2_3_20","STRUTS_2_3_20_1","STRUTS_2_3_20_2","STRUTS_2_3_21","STRUTS_2_3_22","STRUTS_2_3_23","STRUTS_2_3_24","STRUTS_2_3_24_1","STRUTS_2_3_24_2","STRUTS_2_3_24_3","STRUTS_2_3_25","STRUTS_2_3_26","STRUTS_2_3_27","STRUTS_2_3_28","STRUTS_2_3_28_1","STRUTS_2_3_29","STRUTS_2_3_30","STRUTS_2_3_31","STRUTS_2_3_32","STRUTS_2_3_33","STRUTS_2_3_7","STRUTS_2_3_8","STRUTS_2_3_9","STRUTS_2_5","STRUTS_2_5_1","STRUTS_2_5_10","STRUTS_2_5_10_1","STRUTS_2_5_11","STRUTS_2_5_12","STRUTS_2_5_2","STRUTS_2_5_3","STRUTS_2_5_4","STRUTS_2_5_5","STRUTS_2_5_6","STRUTS_2_5_7","STRUTS_2_5_8","STRUTS_2_5_9","STRUTS_2_5_BETA1","STRUTS_2_5_BETA2","STRUTS_2_5_BETA3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-9793.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}