CVE-2017-9791

Name of the Vulnerable Software and Affected Versions Apache Struts versions 2.1.x through 2.3.x

Description The issue exists due to insufficient validation of user-input data that is part of a message, allowing a remote attacker to execute arbitrary code. This can be achieved by passing a malicious field value in a raw message to the ActionMessage.

Recommendations For versions 2.1.x through 2.3.x, consider disabling the Struts 1 plugin until a patch is available to prevent remote code execution via malicious field values in raw messages to the ActionMessage. At the moment, there is no information about a newer version that contains a fix for this vulnerability.