The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CVE-2017-9805 | Apache Struts Deserialization of Untrusted Data Vulnerability | primary_impact | T1059 | Command and Scripting Interpreter |
Comments
CVE-2017-9805 is a deserialization vulnerability in the Apache Struts REST Plugin that could allow an attacker to execute arbitrary commands remotely on the affected systems by sending a specially crafted web request to the application.
References
|
| CVE-2017-9805 | Apache Struts Deserialization of Untrusted Data Vulnerability | exploitation_technique | T1190 | Exploit Public-Facing Application |
Comments
CVE-2017-9805 is a deserialization vulnerability in the Apache Struts REST Plugin that could allow an attacker to execute arbitrary commands remotely on the affected systems by sending a specially crafted web request to the application.
References
|