Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWdnOW0tZmozdi1yNThj
REST Plugin in Apache Struts uses an XStreamHandler with an instance of XStream for deserialization without any type filtering
The REST Plugin in Apache Struts 2.1.2 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.
Permalink: https://github.com/advisories/GHSA-gg9m-fj3v-r58cJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWdnOW0tZmozdi1yNThj
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 5 years ago
Updated: 4 months ago
CVSS Score: 8.1
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-gg9m-fj3v-r58c, CVE-2017-9805
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-9805
- https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax
- https://bugzilla.redhat.com/show_bug.cgi?id=1488482
- https://cwiki.apache.org/confluence/display/WW/S2-052
- https://lgtm.com/blog/apache_struts_CVE-2017-9805
- https://security.netapp.com/advisory/ntap-20170907-0001/
- https://struts.apache.org/docs/s2-052.html
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2
- https://www.exploit-db.com/exploits/42627/
- https://www.kb.cert.org/vuls/id/112992
- http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html
- https://github.com/apache/struts/commit/19494718865f2fb7da5ea363de3822f87fbda26
- https://github.com/apache/struts/commit/6dd6e5cfb7b5e020abffe7e8091bd63fe97c10a
- https://web.archive.org/web/20170909031344/http://www.securityfocus.com/bid/100609
- https://web.archive.org/web/20170922053119/http://www.securitytracker.com/id/1039263
- https://github.com/advisories/GHSA-gg9m-fj3v-r58c
Blast Radius: 18.8
Affected Packages
maven:org.apache.struts:struts2-rest-plugin
Dependent packages: 11Dependent repositories: 212
Downloads:
Affected Version Ranges: >= 2.1.2, < 2.3.34, >= 2.5.0, < 2.5.13
Fixed in: 2.3.34, 2.5.13
All affected versions: 2.1.2, 2.1.6, 2.1.8, 2.2.1, 2.2.3, 2.3.1, 2.3.3, 2.3.4, 2.3.7, 2.3.8, 2.3.12, 2.3.14, 2.3.15, 2.3.16, 2.3.20, 2.3.24, 2.3.28, 2.3.29, 2.3.30, 2.3.31, 2.3.32, 2.3.33, 2.5.1, 2.5.2, 2.5.5, 2.5.8, 2.5.10, 2.5.12
All unaffected versions: 2.3.34, 2.3.35, 2.3.36, 2.3.37, 2.5.13, 2.5.14, 2.5.16, 2.5.17, 2.5.18, 2.5.20, 2.5.22, 2.5.25, 2.5.26, 2.5.27, 2.5.28, 2.5.29, 2.5.30, 2.5.31, 2.5.32, 2.5.33, 6.0.0, 6.0.3, 6.1.1, 6.1.2, 6.2.0, 6.3.0, 6.4.0