Apache Struts 2 REST plugin XStream RCE S2-052
Impact: High
Description
The REST Plugin is using a XStreamHandler
with an instance of XStream for deserialization without any type filtering and this can lead to Remote Code Execution when deserializing XML payloads.
Recommendation
Upgrade to Apache Struts version 2.5.13 or 2.3.34 or newer version.
References
- S2-052 - Apache Struts 2 Wiki
- Apache Struts
- CVE-2017-9805
- CWE-77
- OWASP 2017-A1
- OWASP 2021-A3
- CWE-20
- OWASP 2017-A9
- OWASP 2021-A6
👉 You might also like:
Apache Struts 2 RCE S2-045 - CVE-2017-5638
Apache Struts 2 Forced double OGNL evaluation S2-059 - CVE-2019-0230
Apache Struts OGNL expression RCE S2-057 - CVE-2018-11776
Apache Tomcat JSP Upload RCE - CVE-2017-12615, CVE-2017-12617
Last updated on June 06, 2022