CVE-2017-9805 – org.apache.struts:struts2-rest-plugin

Package

Manager: maven
Name: org.apache.struts:struts2-rest-plugin
Vulnerable Version: >=2.1.1 <2.3.34 || >=2.5.0 <2.5.13

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.9439 pctl0.99969

Details

REST Plugin in Apache Struts uses an XStreamHandler with an instance of XStream for deserialization without any type filtering The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.

Metadata

Created: 2018-10-16T19:37:56Z
Modified: 2025-02-07T17:42:07Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-gg9m-fj3v-r58c/GHSA-gg9m-fj3v-r58c.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-gg9m-fj3v-r58c
Finding: F096
Auto approve: 1