Maven package
org.apache.struts/struts2-rest-plugin
pkg:maven/org.apache.struts/struts2-rest-plugin
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2018-1327 | — | >= 2.1.1, < 2.5.16 | 2.5.16 | Mar 27, 2018 | The Apache Struts REST Plugin is using XStream library which is vulnerable and allow perform a DoS attack when using a malicious request with specially crafted XML payload. Upgrade to the Apache Struts version 2.5.16 and switch to an optional Jackson XML handler as described here | ||
| CVE-2017-15707 | Med | 6.2 | >= 2.5.0, < 2.5.16 | 2.5.16 | Dec 1, 2017 | In Apache Struts 2.5 to 2.5.14, the REST Plugin is using an outdated JSON-lib library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted JSON payload. | |
| CVE-2017-9793 | Hig | 7.5 | < 2.3.34 | 2.3.34 | Sep 20, 2017 | The REST Plugin in Apache Struts 2.1.x, 2.3.7 through 2.3.33 and 2.5 through 2.5.12 is using an outdated XStream library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted XML payload. | |
| CVE-2017-9805 | Hig | 8.1 | KEV | >= 2.1.1, < 2.3.34 | 2.3.34 | Sep 15, 2017 | The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads. |
| CVE-2016-4438 | Cri | 9.8 | >= 2.3.19, < 2.3.29 | 2.3.29 | Jul 4, 2016 | The REST plugin in Apache Struts 2 2.3.19 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression. | |
| CVE-2013-4316 | — | >= 2.0.0, < 2.3.15.2 | 2.3.15.2 | Sep 30, 2013 | Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors. |
- CVE-2018-1327Mar 27, 2018affected >= 2.1.1, < 2.5.16fixed 2.5.16
The Apache Struts REST Plugin is using XStream library which is vulnerable and allow perform a DoS attack when using a malicious request with specially crafted XML payload. Upgrade to the Apache Struts version 2.5.16 and switch to an optional Jackson XML handler as described here
- affected >= 2.5.0, < 2.5.16fixed 2.5.16
In Apache Struts 2.5 to 2.5.14, the REST Plugin is using an outdated JSON-lib library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted JSON payload.
- affected < 2.3.34fixed 2.3.34
The REST Plugin in Apache Struts 2.1.x, 2.3.7 through 2.3.33 and 2.5 through 2.5.12 is using an outdated XStream library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted XML payload.
- affected >= 2.1.1, < 2.3.34fixed 2.3.34
The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.
- affected >= 2.3.19, < 2.3.29fixed 2.3.29
The REST plugin in Apache Struts 2 2.3.19 through 2.3.28.1 allows remote attackers to execute arbitrary code via a crafted expression.
- CVE-2013-4316Sep 30, 2013affected >= 2.0.0, < 2.3.15.2fixed 2.3.15.2
Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors.