Cyber Resilience

CVE-2017-9791

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 10 July 2017

Published
10 July 2017
Modified
21 April 2026
KEV Added
10 February 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9413 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2017-9791 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Apache Struts. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability CVE-2017-9791 resides in the Struts 1 plugin component of Apache Struts 2.1.x and 2.3.x. It is an instance of improper input validation (CWE-20) that can be triggered when a raw message containing a malicious field value is processed by ActionMessage, potentially leading to remote code execution. The flaw is rated 9.8 under CVSS 3.1, indicating it is exploitable over the network with low attack complexity and no prerequisites for authentication or user interaction.

An unauthenticated remote attacker can supply crafted input to any Struts-based application that enables the Struts 1 plugin, achieving arbitrary code execution on the server and full compromise of confidentiality, integrity, and availability.

The primary advisory at http://struts.apache.org/docs/s2-048.html, along with related notices from Oracle, SecurityTracker, and NetApp, directs administrators to apply available patches or configuration changes that disable or remove the affected plugin. Additional references such as the SecurityFocus entry provide further details on affected builds and recommended upgrade paths.

No information on observed in-the-wild exploitation is included in the supplied references.

EU & UK References

Vulnerability details

The Struts 1 plugin in Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.

CWE(s)
KEV Date Added
10 February 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
struts
2.3.1, 2.3.1.1, 2.3.1.2, 2.3.12, 2.3.14

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces validation of untrusted field values supplied to ActionMessage, blocking the malicious input that triggers RCE.

prevent

Requires timely application of the Struts patches or removal of the vulnerable Struts 1 plugin as specified in the advisory.

prevent

Limits installed components by disabling or removing the Struts 1 plugin, eliminating the attack surface for this flaw.

References