The REST Plugin is using a XStreamHandler with an instance of XStream for deserialization without any type filtering and this can lead to Remote Code Execution when deserializing XML payloads.
Struts 2.5 - Struts 2.5.12
Created struts tracking bugs for this issue:
Affects: epel-7 [bug 1488487]
Affects: fedora-all [bug 1488488]
This issue did not affect any of the Red Hat products as they did not include the Apache Struts 2 package.