Description

The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.

Remediation

References

http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html

http://www.securityfocus.com/bid/100609

http://www.securitytracker.com/id/1039263

https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax

https://bugzilla.redhat.com/show_bug.cgi?id=1488482

https://cwiki.apache.org/confluence/display/WW/S2-052

https://lgtm.com/blog/apache_struts_CVE-2017-9805

https://security.netapp.com/advisory/ntap-20170907-0001/

https://struts.apache.org/docs/s2-052.html

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2

https://www.exploit-db.com/exploits/42627/

https://www.kb.cert.org/vuls/id/112992

Related Vulnerabilities

CVE-2021-23381 Vulnerability in npm package killing

CVE-2021-21430 Vulnerability in maven package org.openapitools:openapi-generator-project

CVE-2023-35160 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web-templates

CVE-2023-24807 Vulnerability in maven package org.webjars.npm:undici

CVE-2022-24802 Vulnerability in npm package deepmerge-ts

Severity

Critical

Classification

CWE-502 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Patch Third Party Advisory Broken Link VDB Entry Vendor Advisory Issue Tracking Mitigation Exploit US Government Resource