The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HApache Struts
APPApache2.1.2 – 2.3.34 (bez)2.5.0 – 2.5.13 (bez)Cisco Digital Media Manager
APPCiscowszystkie wersjeCisco Hosted Collaboration Solution
APPCisco10.5\(1\)11.0\(1\)11.5\(1\)11.6\(1\)Cisco Media Experience Engine
APPCisco3.53.5.2Cisco Network Performance Analysis
APPCiscowszystkie wersjeCisco Video Distribution Suite For Internet Streaming
APPCiscowszystkie wersjeNetapp Oncommand Balance
APPNetappwszystkie wersje
CISA KEV — detailsi
- Vendori
- Apache ↗
- Producti
- Struts
- Added to KEVi
- November 3, 2021
- Remediation deadline (US Federal)i
- May 3, 2022(overdue)
Apply updates per vendor instructions.
Apache Struts REST Plugin uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to remote code execution when deserializing XML payloads.
Related vulnerabilities
Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution....
The Struts 1 plugin in Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field v...
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect ex...
Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Java SE Embedded 8u77; and JRockit R28.3.9 ...
Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a paramet...