Description

The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.

Remediation

References

http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html

http://www.securityfocus.com/bid/100609

http://www.securitytracker.com/id/1039263

https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax

https://bugzilla.redhat.com/show_bug.cgi?id=1488482

https://cwiki.apache.org/confluence/display/WW/S2-052

https://lgtm.com/blog/apache_struts_CVE-2017-9805

https://security.netapp.com/advisory/ntap-20170907-0001/

https://struts.apache.org/docs/s2-052.html

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2

https://www.exploit-db.com/exploits/42627/

https://www.kb.cert.org/vuls/id/112992

Related Vulnerabilities

CVE-2021-32732 Vulnerability in maven package org.xwiki.platform:xwiki-platform-administration-ui

CVE-2019-10788 Vulnerability in npm package im-metadata

CVE-2023-34614 Vulnerability in maven package cc.plural:jsonij

CVE-2021-23472 Vulnerability in npm package bootstrap-table

CVE-2020-7781 Vulnerability in npm package connection-tester

Severity

Critical

Classification

CWE-502 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Patch Third Party Advisory Broken Link VDB Entry Vendor Advisory Issue Tracking Mitigation Exploit US Government Resource