Description

Possible Remote Code Execution attack when using the Struts REST plugin with XStream handler to handle XML payloads.

Remediation

Upgrade to Struts 2.5.13 or Struts 2.3.34.

References

Security Bulletin S2-052

Related Vulnerabilities

Moodle Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2020-25627)

PHP Other Vulnerability (CVE-2007-1824)

Squid Integer Overflow or Wraparound Vulnerability (CVE-2020-11945)

Magento CVE-2019-8119 Vulnerability (CVE-2019-8119)

MySQL CVE-2021-2217 Vulnerability (CVE-2021-2217)

Severity

High

Classification

CVE-2017-9805 CWE-94 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution Known Vulnerabilities Acumonitor