logo
DATABASE RESOURCES PRICING ABOUT US

Apache Struts 2 REST Plugin XStream XML Request Deserialization RCE

Description

The remote web application appears to use the Apache Struts 2 web framework. A remote code execution vulnerability exists in the REST plugin, which uses XStreamHandler to insecurely deserialize user-supplied input in XML requests. An unauthenticated, remote attacker can exploit this, via a specially crafted XML request, to execute arbitrary code. Note that this plugin only reports the first vulnerable instance of a Struts 2 application.


Related