Description
The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.
Remediation
References
https://struts.apache.org/docs/s2-052.html
https://cwiki.apache.org/confluence/display/WW/S2-052
https://bugzilla.redhat.com/show_bug.cgi?id=1488482
https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax
https://www.exploit-db.com/exploits/42627/
http://www.securitytracker.com/id/1039263
http://www.securityfocus.com/bid/100609
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2
http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html
https://www.kb.cert.org/vuls/id/112992
https://lgtm.com/blog/apache_struts_CVE-2017-9805
https://security.netapp.com/advisory/ntap-20170907-0001/
Related Vulnerabilities
CVE-2014-7827 Vulnerability in maven package org.picketlink:picketlink-federation
CVE-2020-7617 Vulnerability in npm package ini-parser
CVE-2022-45868 Vulnerability in maven package com.h2database:h2
CVE-2023-29471 Vulnerability in maven package com.typesafe.akka:akka-stream-kafka_3
CVE-2017-0783 Vulnerability in maven package org.apache.openmeetings:openmeetings-web