Red Hat Bugzilla – Bug 1488482
CVE-2017-9805 struts: RCE attack via REST plugin with XStream handler to deserialise XML requests
Last modified: 2018-03-01 12:04:23 EST
The REST Plugin is using a XStreamHandler with an instance of XStream for deserialization without any type filtering and this can lead to Remote Code Execution when deserializing XML payloads.
Struts 2.5 - Struts 2.5.12
Created struts tracking bugs for this issue:
Affects: epel-7 [bug 1488487]
Affects: fedora-all [bug 1488488]
This issue did not affect any of the Red Hat products as they did not include the Apache Struts 2 package.