1 comment

[ 2.7 ms ] story [ 10.2 ms ] thread
TL;DR a problem in deserializing untrusted data submitted via the REST plugin can result in remote code execution. CVE-2017-9805. All versions of Struts since 2008, fixed in today's release of 2.5.13 [1]. If you're using Java and receiving XML data, look really hard at this.

"A RCE attack is possible when using the Struts REST plugin with XStream handler to deserialise XML requests" https://struts.apache.org/docs/s2-052.html

[1] https://struts.apache.org/announce.html#a20170905 for today's release announcement of 2.5.13 that fixes this plus two denial-of-service vulnerabilities.