HomePentest-Tools.com Logo

Apache Struts RCE Vulnerability (S2-048) - Active Check CVE-2017-9791

CVSSv3 Score
Vulnerability description

Apache Struts is prone to a remote code execution (RCE) vulnerability.

Risk description

It is possible to perform a RCE attack with a malicious field value when using the Struts 2 Struts 1 plugin and its a Struts 1 action and the value is a part of a message presented to the user, i.e. when using untrusted input as a part of the error message in the ActionMessage class. Successfully exploiting these issues allow remote attackers to execute arbitrary code in the context of the affected application.


As a mitigation always use resource keys instead of passing a raw message to the ActionMessage as shown in the references, never pass a raw value directly.

Not available
Detectable with
Network Scanner
Scan engine
Exploitable with Sniper
CVE Published
Jul 10, 2017
Detection added at
Software Type
Not available
Not available
Not available