CVE-2018-1327

Name of the Vulnerable Software and Affected Versions Apache Struts versions prior to 2.5.16

Description The issue is related to the Apache Struts REST Plugin using a vulnerable XStream library, allowing a denial of service (DoS) attack with a malicious request containing a specially crafted XML payload. The vulnerability is also associated with insufficient input validation in the struts2-core library, which can be exploited by a remote attacker using specially formed XML files.

Recommendations For versions prior to 2.5.16, upgrade to Apache Struts version 2.5.16 and switch to an optional Jackson XML handler as described. Alternatively, implement a custom XML handler based on the Jackson XML handler from Apache Struts 2.5.16. As a temporary workaround, consider restricting the use of the XStream library until a patch is available.