Description

The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.

Remediation

References

https://struts.apache.org/docs/s2-052.html

https://cwiki.apache.org/confluence/display/WW/S2-052

https://bugzilla.redhat.com/show_bug.cgi?id=1488482

https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax

https://www.exploit-db.com/exploits/42627/

http://www.securitytracker.com/id/1039263

http://www.securityfocus.com/bid/100609

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2

http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html

https://www.kb.cert.org/vuls/id/112992

https://lgtm.com/blog/apache_struts_CVE-2017-9805

https://security.netapp.com/advisory/ntap-20170907-0001/

Related Vulnerabilities

CVE-2023-51656 Vulnerability in maven package org.apache.iotdb:iotdb-server

CVE-2021-29489 Vulnerability in npm package highcharts

CVE-2022-2064 Vulnerability in npm package nocodb

CVE-2017-7669 Vulnerability in maven package org.apache.hadoop:hadoop-common

CVE-2022-48285 Vulnerability in maven package org.webjars.npm:jszip

Severity

Critical

Classification

CWE-502 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Mitigation Vendor Advisory Issue Tracking Third Party Advisory VDB Entry Exploit Broken Link Patch US Government Resource