Vulnerability
Apache Struts 2 is a sophisticated, extensible platform for developing enterprise-grade Java web applications. The bug is caused by improper deserialization in the Java Struts REST plugin. When deserializing XML payloads, the REST Plugin in Apache Struts 2.1.2 through 2.3.x prior to 2.3.34 and 2.5.x prior to 2.5.13 employs a XStreamHandler with an instance of XStream without any type filtering, which can result in Remote Code Execution.Remote code execution is possible because the Struts REST plugin does not have input validation or sanitization.
Mitigation / Precaution
- If your web application server is running one of the affected versions, please upgrade it as soon as possible to Struts 2.3.34 or Struts 2.5.13.
- Other alternative is to restrict the plugin mostly to server normal pages and JSONs
Written by
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days
