cvelist/2017/9xxx/CVE-2017-9805.json

{
   "CVE_data_meta" : {
      "ASSIGNER" : "security@apache.org",
      "ID" : "CVE-2017-9805",
      "STATE" : "PUBLIC"
   },
   "affects" : {
      "vendor" : {
         "vendor_data" : [
            {
               "product" : {
                  "product_data" : [
                     {
                        "product_name" : "Apache Struts before 2.3.34 and 2.5.x before 2.5.13",
                        "version" : {
                           "version_data" : [
                              {
                                 "version_value" : "Apache Struts before 2.3.34 and 2.5.x before 2.5.13"
                              }
                           ]
                        }
                     }
                  ]
               },
               "vendor_name" : "n/a"
            }
         ]
      }
   },
   "data_format" : "MITRE",
   "data_type" : "CVE",
   "data_version" : "4.0",
   "description" : {
      "description_data" : [
         {
            "lang" : "eng",
            "value" : "The REST Plugin in Apache Struts 2.1.2 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads."
         }
      ]
   },
   "problemtype" : {
      "problemtype_data" : [
         {
            "description" : [
               {
                  "lang" : "eng",
                  "value" : "RCE"
               }
            ]
         }
      ]
   },
   "references" : {
      "reference_data" : [
         {
            "name" : "42627",
            "refsource" : "EXPLOIT-DB",
            "url" : "https://www.exploit-db.com/exploits/42627/"
         },
         {
            "name" : "https://lgtm.com/blog/apache_struts_CVE-2017-9805",
            "refsource" : "MISC",
            "url" : "https://lgtm.com/blog/apache_struts_CVE-2017-9805"
         },
         {
            "name" : "https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax",
            "refsource" : "CONFIRM",
            "url" : "https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax"
         },
         {
            "name" : "https://bugzilla.redhat.com/show_bug.cgi?id=1488482",
            "refsource" : "CONFIRM",
            "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1488482"
         },
         {
            "name" : "https://cwiki.apache.org/confluence/display/WW/S2-052",
            "refsource" : "CONFIRM",
            "url" : "https://cwiki.apache.org/confluence/display/WW/S2-052"
         },
         {
            "name" : "https://struts.apache.org/docs/s2-052.html",
            "refsource" : "CONFIRM",
            "url" : "https://struts.apache.org/docs/s2-052.html"
         },
         {
            "name" : "http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html",
            "refsource" : "CONFIRM",
            "url" : "http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html"
         },
         {
            "name" : "https://security.netapp.com/advisory/ntap-20170907-0001/",
            "refsource" : "CONFIRM",
            "url" : "https://security.netapp.com/advisory/ntap-20170907-0001/"
         },
         {
            "name" : "20170907 Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products: September 2017",
            "refsource" : "CISCO",
            "url" : "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2"
         },
         {
            "name" : "VU#112992",
            "refsource" : "CERT-VN",
            "url" : "https://www.kb.cert.org/vuls/id/112992"
         },
         {
            "name" : "100609",
            "refsource" : "BID",
            "url" : "http://www.securityfocus.com/bid/100609"
         },
         {
            "name" : "1039263",
            "refsource" : "SECTRACK",
            "url" : "http://www.securitytracker.com/id/1039263"
         }
      ]
   }
}
- Populated repo from CVE List. 2017-10-16 12:31:07 -04:00			`{`
			`"CVE_data_meta" : {`
			`"ASSIGNER" : "security@apache.org",`
			`"ID" : "CVE-2017-9805",`
			`"STATE" : "PUBLIC"`
			`},`
			`"affects" : {`
			`"vendor" : {`
			`"vendor_data" : [`
			`{`
			`"product" : {`
			`"product_data" : [`
			`{`
			`"product_name" : "Apache Struts before 2.3.34 and 2.5.x before 2.5.13",`
			`"version" : {`
			`"version_data" : [`
			`{`
			`"version_value" : "Apache Struts before 2.3.34 and 2.5.x before 2.5.13"`
			`}`
			`]`
			`}`
			`}`
			`]`
			`},`
			`"vendor_name" : "n/a"`
			`}`
			`]`
			`}`
			`},`
			`"data_format" : "MITRE",`
			`"data_type" : "CVE",`
			`"data_version" : "4.0",`
			`"description" : {`
			`"description_data" : [`
			`{`
			`"lang" : "eng",`
			`"value" : "The REST Plugin in Apache Struts 2.1.2 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads."`
			`}`
			`]`
			`},`
			`"problemtype" : {`
			`"problemtype_data" : [`
			`{`
			`"description" : [`
			`{`
			`"lang" : "eng",`
			`"value" : "RCE"`
			`}`
			`]`
			`}`
			`]`
			`},`
			`"references" : {`
			`"reference_data" : [`
			`{`
- Added 'refsource' and 'name' attributes for reference urls and aligned treatment of whitespace in descriptions with data downloads. 2018-04-05 09:33:01 -04:00			`"name" : "42627",`
			`"refsource" : "EXPLOIT-DB",`
- Populated repo from CVE List. 2017-10-16 12:31:07 -04:00			`"url" : "https://www.exploit-db.com/exploits/42627/"`
			`},`
- Synchronized data. 2017-10-30 11:03:23 -04:00			`{`
- Added 'refsource' and 'name' attributes for reference urls and aligned treatment of whitespace in descriptions with data downloads. 2018-04-05 09:33:01 -04:00			`"name" : "https://lgtm.com/blog/apache_struts_CVE-2017-9805",`
			`"refsource" : "MISC",`
- Synchronized data. 2017-10-30 11:03:23 -04:00			`"url" : "https://lgtm.com/blog/apache_struts_CVE-2017-9805"`
			`},`
- Populated repo from CVE List. 2017-10-16 12:31:07 -04:00			`{`
- Added 'refsource' and 'name' attributes for reference urls and aligned treatment of whitespace in descriptions with data downloads. 2018-04-05 09:33:01 -04:00			`"name" : "https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax",`
			`"refsource" : "CONFIRM",`
- Populated repo from CVE List. 2017-10-16 12:31:07 -04:00			`"url" : "https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax"`
			`},`
			`{`
- Added 'refsource' and 'name' attributes for reference urls and aligned treatment of whitespace in descriptions with data downloads. 2018-04-05 09:33:01 -04:00			`"name" : "https://bugzilla.redhat.com/show_bug.cgi?id=1488482",`
			`"refsource" : "CONFIRM",`
- Populated repo from CVE List. 2017-10-16 12:31:07 -04:00			`"url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1488482"`
			`},`
			`{`
- Added 'refsource' and 'name' attributes for reference urls and aligned treatment of whitespace in descriptions with data downloads. 2018-04-05 09:33:01 -04:00			`"name" : "https://cwiki.apache.org/confluence/display/WW/S2-052",`
			`"refsource" : "CONFIRM",`
- Populated repo from CVE List. 2017-10-16 12:31:07 -04:00			`"url" : "https://cwiki.apache.org/confluence/display/WW/S2-052"`
			`},`
			`{`
- Added 'refsource' and 'name' attributes for reference urls and aligned treatment of whitespace in descriptions with data downloads. 2018-04-05 09:33:01 -04:00			`"name" : "https://struts.apache.org/docs/s2-052.html",`
			`"refsource" : "CONFIRM",`
- Populated repo from CVE List. 2017-10-16 12:31:07 -04:00			`"url" : "https://struts.apache.org/docs/s2-052.html"`
			`},`
			`{`
- Added 'refsource' and 'name' attributes for reference urls and aligned treatment of whitespace in descriptions with data downloads. 2018-04-05 09:33:01 -04:00			`"name" : "http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html",`
			`"refsource" : "CONFIRM",`
- Populated repo from CVE List. 2017-10-16 12:31:07 -04:00			`"url" : "http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html"`
			`},`
- Synchronized data. 2017-11-09 06:03:56 -05:00			`{`
- Added 'refsource' and 'name' attributes for reference urls and aligned treatment of whitespace in descriptions with data downloads. 2018-04-05 09:33:01 -04:00			`"name" : "https://security.netapp.com/advisory/ntap-20170907-0001/",`
			`"refsource" : "CONFIRM",`
- Synchronized data. 2017-11-09 06:03:56 -05:00			`"url" : "https://security.netapp.com/advisory/ntap-20170907-0001/"`
			`},`
- Populated repo from CVE List. 2017-10-16 12:31:07 -04:00			`{`
- Added 'refsource' and 'name' attributes for reference urls and aligned treatment of whitespace in descriptions with data downloads. 2018-04-05 09:33:01 -04:00			`"name" : "20170907 Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products: September 2017",`
			`"refsource" : "CISCO",`
- Populated repo from CVE List. 2017-10-16 12:31:07 -04:00			`"url" : "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2"`
			`},`
- Synchronized data. 2017-10-30 11:03:23 -04:00			`{`
- Added 'refsource' and 'name' attributes for reference urls and aligned treatment of whitespace in descriptions with data downloads. 2018-04-05 09:33:01 -04:00			`"name" : "VU#112992",`
			`"refsource" : "CERT-VN",`
- Synchronized data. 2017-10-30 11:03:23 -04:00			`"url" : "https://www.kb.cert.org/vuls/id/112992"`
			`},`
- Populated repo from CVE List. 2017-10-16 12:31:07 -04:00			`{`
- Added 'refsource' and 'name' attributes for reference urls and aligned treatment of whitespace in descriptions with data downloads. 2018-04-05 09:33:01 -04:00			`"name" : "100609",`
			`"refsource" : "BID",`
- Populated repo from CVE List. 2017-10-16 12:31:07 -04:00			`"url" : "http://www.securityfocus.com/bid/100609"`
			`},`
			`{`
- Added 'refsource' and 'name' attributes for reference urls and aligned treatment of whitespace in descriptions with data downloads. 2018-04-05 09:33:01 -04:00			`"name" : "1039263",`
			`"refsource" : "SECTRACK",`
- Populated repo from CVE List. 2017-10-16 12:31:07 -04:00			`"url" : "http://www.securitytracker.com/id/1039263"`
			`}`
			`]`
			`}`
			`}`