ID CVE-2017-9805
Summary The REST Plugin in Apache Struts 2.1.2 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.
References
Vulnerable Configurations
  • Apache Software Foundation Struts 2.1.2
    cpe:2.3:a:apache:struts:2.1.2
  • Apache Software Foundation Struts 2.1.3
    cpe:2.3:a:apache:struts:2.1.3
  • Apache Software Foundation Struts 2.1.4
    cpe:2.3:a:apache:struts:2.1.4
  • Apache Software Foundation Struts 2.1.5
    cpe:2.3:a:apache:struts:2.1.5
  • Apache Software Foundation Struts 2.1.6
    cpe:2.3:a:apache:struts:2.1.6
  • Apache Software Foundation Struts 2.1.8
    cpe:2.3:a:apache:struts:2.1.8
  • Apache Software Foundation Struts 2.1.8.1
    cpe:2.3:a:apache:struts:2.1.8.1
  • Apache Software Foundation Struts 2.2.1
    cpe:2.3:a:apache:struts:2.2.1
  • Apache Software Foundation Struts 2.2.1.1
    cpe:2.3:a:apache:struts:2.2.1.1
  • Apache Software Foundation Struts 2.2.3
    cpe:2.3:a:apache:struts:2.2.3
  • Apache Software Foundation Struts 2.2.3.1
    cpe:2.3:a:apache:struts:2.2.3.1
  • Apache Software Foundation Struts 2.3.1
    cpe:2.3:a:apache:struts:2.3.1
  • Apache Software Foundation Struts 2.3.1.1
    cpe:2.3:a:apache:struts:2.3.1.1
  • Apache Software Foundation Struts 2.3.1.2
    cpe:2.3:a:apache:struts:2.3.1.2
  • Apache Software Foundation Struts 2.3.3
    cpe:2.3:a:apache:struts:2.3.3
  • Apache Software Foundation Struts 2.3.4
    cpe:2.3:a:apache:struts:2.3.4
  • Apache Software Foundation Struts 2.3.4.1
    cpe:2.3:a:apache:struts:2.3.4.1
  • Apache Software Foundation Struts 2.3.7
    cpe:2.3:a:apache:struts:2.3.7
  • Apache Software Foundation Struts 2.3.8
    cpe:2.3:a:apache:struts:2.3.8
  • Apache Software Foundation Struts 2.3.12
    cpe:2.3:a:apache:struts:2.3.12
  • Apache Software Foundation Struts 2.3.14
    cpe:2.3:a:apache:struts:2.3.14
  • Apache Software Foundation Struts 2.3.14.1
    cpe:2.3:a:apache:struts:2.3.14.1
  • Apache Software Foundation Struts 2.3.14.2
    cpe:2.3:a:apache:struts:2.3.14.2
  • Apache Software Foundation Struts 2.3.14.3
    cpe:2.3:a:apache:struts:2.3.14.3
  • Apache Software Foundation Struts 2.3.15
    cpe:2.3:a:apache:struts:2.3.15
  • Apache Software Foundation Struts 2.3.15.1
    cpe:2.3:a:apache:struts:2.3.15.1
  • Apache Software Foundation Struts 2.3.15.2
    cpe:2.3:a:apache:struts:2.3.15.2
  • Apache Software Foundation Struts 2.3.15.3
    cpe:2.3:a:apache:struts:2.3.15.3
  • Apache Software Foundation Struts 2.3.16
    cpe:2.3:a:apache:struts:2.3.16
  • Apache Software Foundation Struts 2.3.16.1
    cpe:2.3:a:apache:struts:2.3.16.1
  • Apache Software Foundation Struts 2.3.16.2
    cpe:2.3:a:apache:struts:2.3.16.2
  • Apache Software Foundation Struts 2.3.16.3
    cpe:2.3:a:apache:struts:2.3.16.3
  • Apache Software Foundation Struts 2.3.20
    cpe:2.3:a:apache:struts:2.3.20
  • Apache Software Foundation Struts 2.3.20.1
    cpe:2.3:a:apache:struts:2.3.20.1
  • Apache Software Foundation Struts 2.3.20.3
    cpe:2.3:a:apache:struts:2.3.20.3
  • Apache Software Foundation Struts 2.3.24
    cpe:2.3:a:apache:struts:2.3.24
  • cpe:2.3:a:apache:struts:2.3.24.1
    cpe:2.3:a:apache:struts:2.3.24.1
  • Apache Struts 2.3.24.3
    cpe:2.3:a:apache:struts:2.3.24.3
  • Apache Software Foundation Struts 2.3.28
    cpe:2.3:a:apache:struts:2.3.28
  • Apache Struts 2.3.28.1
    cpe:2.3:a:apache:struts:2.3.28.1
  • Apache Software Foundation Struts 2.3.29
    cpe:2.3:a:apache:struts:2.3.29
  • Apache Software Foundation Struts 2.3.30
    cpe:2.3:a:apache:struts:2.3.30
  • Apache Software Foundation Struts 2.3.31
    cpe:2.3:a:apache:struts:2.3.31
  • Apache Software Foundation Struts 2.3.32
    cpe:2.3:a:apache:struts:2.3.32
  • Apache Software Foundation Struts 2.3.33
    cpe:2.3:a:apache:struts:2.3.33
  • Apache Software Foundation Struts 2.5.1
    cpe:2.3:a:apache:struts:2.5.1
  • Apache Software Foundation Struts 2.5.2
    cpe:2.3:a:apache:struts:2.5.2
  • Apache Software Foundation Struts 2.5.3
    cpe:2.3:a:apache:struts:2.5.3
  • Apache Software Foundation Struts 2.5.4
    cpe:2.3:a:apache:struts:2.5.4
  • Apache Software Foundation Struts 2.5.5
    cpe:2.3:a:apache:struts:2.5.5
  • Apache Software Foundation Struts 2.5.6
    cpe:2.3:a:apache:struts:2.5.6
  • Apache Software Foundation Struts 2.5.7
    cpe:2.3:a:apache:struts:2.5.7
  • Apache Software Foundation Struts 2.5.8
    cpe:2.3:a:apache:struts:2.5.8
  • Apache Software Foundation Struts 2.5.9
    cpe:2.3:a:apache:struts:2.5.9
  • Apache Software Foundation Struts 2.5.10
    cpe:2.3:a:apache:struts:2.5.10
  • cpe:2.3:a:apache:struts:2.5.10.1
    cpe:2.3:a:apache:struts:2.5.10.1
  • Apache Software Foundation Struts 2.5.11
    cpe:2.3:a:apache:struts:2.5.11
  • cpe:2.3:a:apache:struts:2.5.12
    cpe:2.3:a:apache:struts:2.5.12
CVSS
Base: 6.8
Impact:
Exploitability:
CWE CWE-502
CAPEC
d2sec via4
name Apache Struts REST Plugin XStream RCE
url http://www.d2sec.com/exploits/apache_struts_rest_plugin_xstream_rce.html
exploit-db via4
description Apache Struts 2.5 - Remote Code Execution. CVE-2017-9805. Remote exploit for Linux platform
file exploits/linux/remote/42627.py
id EDB-ID:42627
last seen 2017-09-07
modified 2017-09-06
platform linux
port
published 2017-09-06
reporter Exploit-DB
source https://www.exploit-db.com/download/42627/
title Apache Struts 2.5 - Remote Code Execution
type remote
metasploit via4
description Apache Struts versions 2.1.2 - 2.3.33 and Struts 2.5 - Struts 2.5.12, using the REST plugin, are vulnerable to a Java deserialization attack in the XStream library.
id MSF:EXPLOIT/MULTI/HTTP/STRUTS2_REST_XSTREAM
last seen 2019-03-21
modified 2019-02-25
published 2017-09-06
reliability Excellent
reporter Rapid7
source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts2_rest_xstream.rb
title Apache Struts 2 REST Plugin XStream RCE
nessus via4
  • NASL family CGI abuses
    NASL id STRUTS_2_5_13_REST_RCE.NASL
    description The remote web application appears to use the Apache Struts 2 web framework. A remote code execution vulnerability exists in the REST plugin, which uses XStreamHandler to insecurely deserialize user-supplied input in XML requests. An unauthenticated, remote attacker can exploit this, via a specially crafted XML request, to execute arbitrary code. Note that this plugin only reports the first vulnerable instance of a Struts 2 application.
    last seen 2019-02-21
    modified 2019-02-07
    plugin id 102977
    published 2017-09-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102977
    title Apache Struts 2 REST Plugin XStream XML Request Deserialization RCE
  • NASL family Misc.
    NASL id STRUTS_2_5_13.NASL
    description The version of Apache Struts running on the remote host is 2.1.x subsequent or equal to 2.1.2, 2.2.x, 2.3.x prior to 2.3.34, or 2.5.x prior to 2.5.13. It is, therefore, affected by multiple vulnerabilities: - A remote code execution vulnerability in the REST plugin. The Struts REST plugin uses an XStreamHandler with an instance of XStream for deserialization and does not perform any type filtering when deserializing XML payloads. This can allow an unauthenticated, remote attacker to execute arbitrary code in the context of the Struts REST plugin by sending a specially crafted XML payload. (CVE-2017-9805) - A denial of service vulnerability in the XStream XML deserializer in the XStreamHandler used by the REST plugin. (CVE-2017-9793) - A denial of service vulnerability when using URLValidator. (CVE-2017-9804) - A flaw exists related to 'freemarker' tags, expression literals, 'views/freemarker/FreemarkerManager.java', and forced expressions that allows arbitrary code execution. (CVE-2017-12611) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2019-02-15
    plugin id 102960
    published 2017-09-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102960
    title Apache Struts 2.1.x >= 2.1.2 / 2.2.x / 2.3.x < 2.3.34 / 2.5.x < 2.5.13 Multiple Vulnerabilities (S2-050 - S2-053)
packetstorm via4
refmap via4
bid 100609
cert-vn VU#112992
cisco 20170907 Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products: September 2017
confirm
exploit-db 42627
misc https://lgtm.com/blog/apache_struts_CVE-2017-9805
sectrack 1039263
saint via4
bid 100609
description Apache Struts REST plugin XStream deserialization vulnerability
id web_dev_struts2xstreamrce
title struts_rest_plugin_xstream
type remote
the hacker news via4
Last major update 15-09-2017 - 15:29
Published 15-09-2017 - 15:29
Last modified 09-11-2017 - 21:29
Back to Top