Description

Possible Remote Code Execution attack when using the Struts REST plugin with XStream handler to handle XML payloads.

Remediation

Upgrade to Struts 2.5.13 or Struts 2.3.34.

References

Security Bulletin S2-052

Related Vulnerabilities

FluxBB Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2020-35240)

Oracle JRE CVE-2013-5831 Vulnerability (CVE-2013-5831)

XWiki Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2023-29213)

WordPress Plugin Lightbox Jquery Possible Remote Code Execution (0.24)

Ruby Out-of-bounds Read Vulnerability (CVE-2022-28739)

Severity

High

Classification

CVE-2017-9805 CWE-94 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution Known Vulnerabilities Acumonitor