The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.
oryginał ENCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HApache Struts
APPApache2.1.2 – 2.3.34 (bez)2.5.0 – 2.5.13 (bez)Cisco Digital Media Manager
APPCiscowszystkie wersjeCisco Hosted Collaboration Solution
APPCisco10.5\(1\)11.0\(1\)11.5\(1\)11.6\(1\)Cisco Media Experience Engine
APPCisco3.53.5.2Cisco Network Performance Analysis
APPCiscowszystkie wersjeCisco Video Distribution Suite For Internet Streaming
APPCiscowszystkie wersjeNetapp Oncommand Balance
APPNetappwszystkie wersje
CISA KEV — szczegółyi
- Dostawcai
- Apache ↗
- Produkti
- Struts
- Data dodania do KEVi
- 3 listopada 2021
- Termin remediation (USA)i
- 3 maja 2022(po terminie)
Zastosuj aktualizacje zgodnie z instrukcjami dostawcy.
▸ Pokaż oryginał (EN)
Apply updates per vendor instructions.
Wtyczka REST Apache Struts używa XStreamHandler z instancją XStream do deserializacji bez filtrowania typów, co może prowadzić do zdalnego wykonania kodu (RCE) podczas deserializacji ładunków XML.
▸ Pokaż oryginał (EN)
Apache Struts REST Plugin uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to remote code execution when deserializing XML payloads.
Powiązane podatności
Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution....
The Struts 1 plugin in Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field v...
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect ex...
Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Java SE Embedded 8u77; and JRockit R28.3.9 ...
Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a paramet...