Apache Struts 2.1.6 < 2.3.34 / 2.5 < 2.5.13 Remote Code Execution (S2-052)

high Web App Scanning Plugin ID 112763

Language:

Synopsis

Apache Struts 2.1.6 < 2.3.34 / 2.5 < 2.5.13 Remote Code Execution (S2-052)

Description

The REST Plugin in Apache Struts 2.1.6 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.

Solution

Refer to the S2-052 vendor advisory for mitigation options.

See Also

https://cwiki.apache.org/confluence/display/WW/S2-052

Plugin Details

Severity: High

ID: 112763

Type: remote

Family: Component Vulnerability

Published: 4/28/2021

Updated: 9/7/2021

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: Critical

Score: 9.0

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2017-9805

CVSS v3

Risk Factor: High

Base Score: 8.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS Score Source: CVE-2017-9805

Vulnerability Information

CPE: cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 9/15/2017

CISA Known Exploited Vulnerability Due Dates: 5/3/2022

Reference Information

CVE: CVE-2017-9805

BID: 100609

CWE: 502

OWASP: 2010-A4, 2013-A4, 2013-A9, 2017-A8, 2017-A9, 2021-A6, 2021-A8

WASC: Improper Input Handling

CAPEC: 586

DISA STIG: APSC-DV-002560, APSC-DV-002630

HIPAA: 164.306(a)(1), 164.306(a)(2)

ISO: 27001-A.14.2.5

NIST: sp800_53-CM-6b, sp800_53-SI-10(5)

OWASP API: 2019-API7, 2019-API8, 2023-API8

OWASP ASVS: 4.0.2-14.2.1, 4.0.2-5.5.1

PCI-DSS: 3.2-6.2, 3.2-6.5.1