Description
Apache Struts 2, specifically the REST Plugin, is susceptible to a Remote Code Execution (RCE) vulnerability identified as S2-052. This vulnerability arises due to the use of a XStreamHandler
with an instance of XStream for deserialization without adequate type filtering. Attackers can exploit this flaw by submitting malicious XML payloads, leading to the execution of arbitrary code on the server.
Recommendation
To mitigate this vulnerability, it is recommended to upgrade to Apache Struts version 2.5.13, 2.3.34, or newer versions.
References
- S2-052 - Apache Struts 2 Wiki
- Apache Struts
- CVE-2017-9805
- CWE-20
- CWE-78
- CAPEC-88
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Apache Struts 2 RCE S2-045 - CVE-2017-5638
- Apache Struts 2 Forced double OGNL evaluation S2-059 - CVE-2019-0230
- Apache Struts OGNL expression RCE S2-057 - CVE-2018-11776
- Apache Tomcat JSP Upload RCE - CVE-2017-12615, CVE-2017-12617
- Tags:
- RCE
- Struts
- Injection
Anything's wrong? Let us know Last updated on May 13, 2024