The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.
References
Link | Resource |
---|---|
http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html | Third Party Advisory |
http://www.securityfocus.com/bid/100609 | Third Party Advisory VDB Entry |
http://www.securitytracker.com/id/1039263 | Third Party Advisory VDB Entry |
https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax | Vendor Advisory |
https://bugzilla.redhat.com/show_bug.cgi?id=1488482 | Issue Tracking Third Party Advisory VDB Entry |
https://cwiki.apache.org/confluence/display/WW/S2-052 | Mitigation Vendor Advisory |
https://lgtm.com/blog/apache_struts_CVE-2017-9805 | |
https://security.netapp.com/advisory/ntap-20170907-0001/ | |
https://struts.apache.org/docs/s2-052.html | Vendor Advisory |
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2 | Third Party Advisory |
https://www.exploit-db.com/exploits/42627/ | Third Party Advisory VDB Entry |
https://www.kb.cert.org/vuls/id/112992 |
Configurations
Configuration 1 (hide)
|
History
No history.
Information
Published : 2017-09-15 19:29
Updated : 2023-12-10 12:15
NVD link : CVE-2017-9805
Mitre link : CVE-2017-9805
CVE.ORG link : CVE-2017-9805
JSON object : View
Products Affected
apache
- struts
CWE
CWE-502
Deserialization of Untrusted Data