Out of Band Code Evaluation (Apache Struts 2)

Severity: Critical

Invicti identified a Remote Code Evaluation (Apache Struts 2) by capturing a DNS A request, which occurs when input data is run as code.


An attacker can send a specially crafted XML request to the application. The REST Plugin in Apache Struts 2.1.2 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Evaluation when deserializing the XML payloads. 


Upgrade to Apache Struts version 2.5.13 or 2.3.34.

Required Skills for Successful Exploitation#
This vulnerability is not difficult to leverage, Apache Struts 2 is a high level language for which there are vast resources available. Successful exploitation requires knowledge of the programming language, access to or the ability to produce source code for use in such attacks and minimal attack skills.
Invicti Logo

Dead accurate, fast & easy-to-use Web Application Security Scanner

Get a demo