Description

The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.

Remediation

References

http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html

http://www.securityfocus.com/bid/100609

http://www.securitytracker.com/id/1039263

https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax

https://bugzilla.redhat.com/show_bug.cgi?id=1488482

https://cwiki.apache.org/confluence/display/WW/S2-052

https://lgtm.com/blog/apache_struts_CVE-2017-9805

https://security.netapp.com/advisory/ntap-20170907-0001/

https://struts.apache.org/docs/s2-052.html

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2

https://www.exploit-db.com/exploits/42627/

https://www.kb.cert.org/vuls/id/112992

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-9805

Related Vulnerabilities

CVE-2022-25898 Vulnerability in npm package jsrsasign

CVE-2020-9038 Vulnerability in npm package joplin

CVE-2021-28169 Vulnerability in maven package org.eclipse.jetty:jetty-servlets

CVE-2021-21252 Vulnerability in maven package org.webjars.bower:jquery-validation

CVE-2022-45470 Vulnerability in maven package org.apache.hama:hama-core

Severity

Critical

Classification

CWE-502 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Patch Third Party Advisory Broken Link VDB Entry Vendor Advisory Issue Tracking Mitigation Exploit US Government Resource