Description

Possible Remote Code Execution attack when using the Struts REST plugin with XStream handler to handle XML payloads.

Remediation

Upgrade to Struts 2.5.13 or Struts 2.3.34.

References

Security Bulletin S2-052

Related Vulnerabilities

MySQL CVE-2022-21635 Vulnerability (CVE-2022-21635)

Unauthenticated OGNL injection in Confluence Server and Data Center (CVE-2023-22527)

SugarCRM Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2019-17318)

Trac Incorrect Default Permissions Vulnerability (CVE-2010-5108)

PHP Out-of-bounds Read Vulnerability (CVE-2019-11046)

Severity

High

Classification

CVE-2017-9805 CWE-94 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution Known Vulnerabilities Acumonitor