2549 matches found
BSA-2017-429
Security Advisory ID : BSA-2017-429 Component : Struts REST Revision : 2.0: Interim A flaw was found in the Struts REST plugin when using an outdatedXStreamlibrary. An attacker could perform a denial of service attack using a malicious request with specially crafted XML payload. Affected Products...
BSA-2017-427
Security Advisory ID : BSA-2017-427 Component : Apache Struts 2 Revision : 2.0: Interim The REST Plugin in Apache Struts2 is usingaXStreamHandlerwith an instance ofXStreamfor deserialization without any type filtering which could lead to Remote Code Execution whendeserializingXML payloads. An...
BSA-2017-428
Security Advisory ID : BSA-2017-428 Component : Apache Struts Revision : 2.0: Interim The previous fix issued with CVE-2017-7672 was incomplete. If an application allows enter an URL in a form field and built-inURLValidatoris used, it is possible to prepare a special URL which will be used to...
Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products: September 2017
On September 5, 2017, the Apache Software Foundation released security bulletins that disclosed three vulnerabilities in the Apache Struts 2 package. Of these vulnerabilities, the Apache Software Foundation classifies one as Critical Severity, one as Medium Severity, and one as Low Severity. For...
Another Apache Struts Vulnerability Under Active Exploitation
This post authored by Nick Biasini with contributions from Alex Chiu.Earlier this week, a critical vulnerability in Apache Struts was publicly disclosed in a security advisory. This new vulnerability, identified as CVE-2017-9805, manifests due to the way the REST plugin uses XStreamHandler with a...
CVE-2017-12611
It was found that Freemarker in Struts would permit using read-only properties in value assignment of tag expressions. An attacker could use this to execute arbitrary code...
Apache Struts 2 REST Plugin XStream Remote Code Execution
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Apache Struts 2 REST Plugin XStream RCE', 'Description' = %q Apache Struts versions 2.5 through 2.5.12 using the REST plugin are vulnerable to a...
Apache Struts 2.5 - Remote Code Execution Exploit
Exploit for linux platform in category remote exploits Exploit Title: Struts 2.5 - 2.5.12 REST Plugin XStream RCE Google Dork: filetype:action Date: 06/09/2017 Exploit Author: Warflop Vendor Homepage: https://struts.apache.org/ Software Link:...
Apache Struts 2.5 < 2.5.12 - REST Plugin XStream Remote Code Execution Exploit
Apache Struts versions 2.5 through 2.5.12 using the REST plugin are vulnerable to a Java deserialization attack in the XStream library. This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Apache...
Apache Struts Security Update (S2-052) - Active Check
Apache Struts is prone to a remote code execution RCE vulnerability. SPDX-FileCopyrightText: 2017 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...
Exploit for Deserialization of Untrusted Data in Apache Struts
Description Apache Struts RCE tool for CVE 2017-9805 O...
Apache Software Foundation Releases Security Update
The Apache Software Foundation has released a security update to address a vulnerability in Struts 2. A remote attacker could exploit this vulnerability to take control of an affected system. US-CERT encourages users and administrators to review the Apache Security Bulletin and Vulnerability Note...
Apache Struts REST Plugin XStream Deserialization Remote Code Execution (CVE-2017-9805)
A remote code execution vulnerability exists in Apache Struts. This vulnerability is due to the an insecure deserialization. A remote attacker could exploit this vulnerability by sending a crafted request to the target server. Successful exploitation will allow an attacker to execute arbitrary co...
Apache Struts 2.5 2.5.12 - REST Plugin XStream Remote Code Execution
Apache Struts 2.5 2.5.12 - REST Plugin XStream Remote Code Execution Exploit Title: Struts 2.5 - 2.5.12 REST Plugin XStream RCE Google Dork: filetype:action Date: 06/09/2017 Exploit Author: Warflop Vendor Homepage: https://struts.apache.org/ Software Link:...
Apache Struts Incomplete Fix for Denial of Service Vulnerability
Apache Struts is the United States Apache Apache Software Foundation is responsible for maintaining an open source project , is a set of open source MVC framework for creating enterprise-class Java Web applications , mainly provides two versions of the framework products , Struts 1 and Struts 2...
Apache Struts REST Plugin Denial of Service Vulnerability
Apache Struts is the United States Apache Apache Software Foundation is responsible for maintaining an open source project , is a set of Java Web applications for the creation of enterprise-class open source MVC framework . Apache Struts 2 is the next generation of Apache Struts products , is bas...
Apache Struts 2 framework REST plugin insecurely deserializes untrusted XML data
Overview Apache Struts 2 framework, versions 2.5 to 2.5.12, with REST plugin insecurely deserializes untrusted XML data. A remote, unauthenticated attacker can leverage this vulnerability to execute arbitrary code in the context of the Struts application. Description CWE-502: Deserialization of...
Apache Struts 2.5 < 2.5.12 - REST Plugin XStream Remote Code Execution
Exploit Title: Struts 2.5 - 2.5.12 REST Plugin XStream RCE Google Dork: filetype:action Date: 06/09/2017 Exploit Author: Warflop Vendor Homepage: https://struts.apache.org/ Software Link: http://mirror.nbtelecom.com.br/apache/struts/2.5.10/struts-2.5.10-all.zip Version: Struts 2.5 – Struts 2.5.12...
Apache Struts2 S2-052 (CVE-2017-9805)
In this post I'll describe how I customized a standard lgtm query to find a remote code execution vulnerability in Apache Struts. A more general announcement about this vulnerability can be found here. It has been assigned CVE-2017-9805, a security bulletin can be found here on the Struts website...
Apache Struts 2 REST Plugin XStream XML Request Deserialization RCE
The remote web application appears to use the Apache Struts 2 web framework. A remote code execution vulnerability exists in the REST plugin, which uses XStreamHandler to insecurely deserialize user-supplied input in XML requests. An unauthenticated, remote attacker can exploit this, via a...