The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.
Metrics
Affected Vendors & Products
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Thu, 06 Feb 2025 21:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
kev
|
Wed, 14 Aug 2024 00:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
|

Status: PUBLISHED
Assigner: apache
Published:
Updated: 2025-07-30T01:46:23.770Z
Reserved: 2017-06-21T00:00:00.000Z
Link: CVE-2017-9805

Updated: 2024-08-05T17:18:01.942Z

Status : Deferred
Published: 2017-09-15T19:29:00.237
Modified: 2025-04-20T01:37:25.860
Link: CVE-2017-9805


No data.