CVE-2017-9804 Apache Struts Multiple Security Vulnerabilities (S2-050, S2-051, S2-052)




Apache Struts is an open-source Model-View-Controller (MVC) framework for creating elegant, modern Java web applications.

Apache Struts is exposed to following vulnerabilities:

– Possible DoS attack when using URLValidator (CVE-2017-9804)
– A DoS attack is possible when using outdated XStream library with the Struts REST plugin (CVE-2017-9793).
– A RCE attack is possible when using the Struts REST plugin with XStream handler to deserialise XML requests (CVE-2017-9805).

Affected software:
Struts 2.3.7 – Struts 2.3.33, Struts 2.5 – Struts 2.5.12

QID detection logic (Authenticated) :
This authenticated detection looks for “struts core” jar files in deployed web applications directories and lib folder of Tomcat server.
Once it successfully finds the jar file, information is extracted from that jar files and compared with vulnerable versions.
This detection does NOT support applications are deployed with server configuration unpackWARs=false.


A remote attacker could exploit this vulnerability to execute arbitrary code.


The vendor has released advisories and updates to fix these vulnerabilities.
Refer to the following link for further details: Apache Struts Announcements 05 September 2017

Disable access to the REST API used by Struts as it does not correctly deserialize objects when invoked.

Following are links for downloading patches to fix the vulnerabilities:




Leave a Reply