Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

None

Privileges Required

None

Attack Vector

Network

CVE-2017-9791

Disclosure Date: July 10, 2017 •

CVE-2017-9791 CVSS v3 Base Score: 9.8

Exploited in the Wild

Reported by AttackerKB Worker and 1 more...
View Source Details

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Metasploit Module

Apache Struts 2 Struts 1 Plugin Showcase OGNL Code Execution

Description

The Struts 1 plugin in Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

9.8 Critical

Impact Score:

5.9

Exploitability Score:

3.9

Vector:

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

apache

Products

struts 2.3.1,
struts 2.3.1.1,
struts 2.3.1.2,
struts 2.3.12,
struts 2.3.14,
struts 2.3.14.1,
struts 2.3.14.2,
struts 2.3.14.3,
struts 2.3.15,
struts 2.3.15.1,
struts 2.3.15.2,
struts 2.3.15.3,
struts 2.3.16,
struts 2.3.16.1,
struts 2.3.16.2,
struts 2.3.16.3,
struts 2.3.20,
struts 2.3.20.1,
struts 2.3.20.3,
struts 2.3.24,
struts 2.3.24.1,
struts 2.3.24.3,
struts 2.3.28,
struts 2.3.28.1,
struts 2.3.29,
struts 2.3.3,
struts 2.3.30,
struts 2.3.31,
struts 2.3.32,
struts 2.3.4,
struts 2.3.4.1,
struts 2.3.7,
struts 2.3.8

Metasploit Modules

Apache Struts 2 Struts 1 Plugin Showcase OGNL Code Execution (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts2_code_exec_showcase.rb)

Exploited in the Wild

Reported by:

AttackerKB Worker

Reported: September 25, 2020 8:38pm UTC (3 years ago)

gwillcox-r7 indicated source as Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)

Reported: February 11, 2022 1:00am UTC (2 years ago)

References

Canonical

CVE-2017-9791 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9791)

BID-99484 (http://www.securityfocus.com/bid/99484)

Advisory

http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html

EXPLOIT-DB-42324 (https://www.exploit-db.com/exploits/42324)

http://struts.apache.org/docs/s2-048.html

SECTRACK-1038838 (http://www.securitytracker.com/id/1038838)

EXPLOIT-DB-44643 (https://www.exploit-db.com/exploits/44643)

https://security.netapp.com/advisory/ntap-20180706-0002

Rapid7

Unknown

CVE-2017-9791

Unknown

Unknown

None

None

Network

CVE-2017-9791

Description