CVE-2017-9805

Name of the Vulnerable Software and Affected Versions Apache Struts versions 2.1.1 through 2.3.x before 2.3.34 Apache Struts versions 2.5.x before 2.5.13

Description The issue is related to the REST Plugin in Apache Struts, which uses an XStreamHandler with an instance of XStream for deserialization without any type filtering. This can lead to Remote Code Execution when deserializing XML payloads. The vulnerability exists due to the lack of filtering during the deserialization of XML requests, allowing remote attackers to execute arbitrary code.

Recommendations For Apache Struts versions 2.1.1 through 2.3.x before 2.3.34, upgrade to version 2.3.34 or later. For Apache Struts versions 2.5.x before 2.5.13, upgrade to version 2.5.13 or later. As a temporary workaround, consider disabling the XStreamHandler until a patch is available. Restrict access to the REST Plugin to minimize the risk of exploitation. Avoid using the XStream library for deserialization until the issue is resolved.