CVE-2018-1327

CWE-916 documents6 sources

Severity

7.5HIGH

EPSS

6.2%

top 9.12%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Struts Apache Software Foundation Apache Struts

Timeline

PublishedMar 27

Latest updateOct 16

Description

The Apache Struts REST Plugin is using XStream library which is vulnerable and allow perform a DoS attack when using a malicious request with specially crafted XML payload. Upgrade to the Apache Struts version 2.5.16 and switch to an optional Jackson XML handler as described here http://struts.apache.org/plugins/rest/#custom-contenttypehandlers. Another option is to implement a custom XML handler based on the Jackson XML handler from the Apache Struts 2.5.16.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶Mavenorg.apache.struts:struts2-rest-plugin2.1.1 — 2.5.16

▶NVDapache/struts2.1.1 — 2.5.14.1

▶CVEListV5apache_software_foundation/apache_strutsApache Struts 2.1.1 to 2.5.14.1

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

Apache Struts REST Plugin can potentially allow a DoS attack↗2018-10-16

▶

OSV

Apache Struts REST Plugin can potentially allow a DoS attack↗2018-10-16

▶

CVEList

CVE-2018-1327: The Apache Struts REST Plugin is using XStream library which is vulnerable and allow perform a DoS attack when using a malicious request with speciall↗2018-03-27

▶

📋Vendor Advisories

Red Hat

struts: Denial-of-Service attack via crafted XML request using Struts REST plugin↗2018-03-27

▶

💬Community

Bugzilla

CVE-2018-1327 struts: Denial-of-Service attack via crafted XML request using Struts REST plugin↗2018-03-27

▶