Apache Struts 2 REST Plugin XStream XML Request Deserialization RCE
Critical Nessus Plugin ID 102977
The remote web server contains a web application that uses a Java framework that is affected by a remote code execution vulnerability.
The remote web application appears to use the Apache Struts 2 web framework. A remote code execution vulnerability exists in the REST plugin, which uses XStreamHandler to insecurely deserialize user-supplied input in XML requests. An unauthenticated, remote attacker can exploit this, via a specially crafted XML request, to execute arbitrary code. Note that this plugin only reports the first vulnerable instance of a Struts 2 application.
Upgrade to Apache Struts version 2.3.34 or 2.5.13 or later.