CVE-2017-9805 vulnerability describes a possible Remote Code Execution (RCE) attack when using the Struts REST plugin with XStream handler to handle XML payloads. This is affecting applications which are built using Struts 2.1.2 - Struts 2.3.33, Struts 2.5 - Struts 2.5.12 MVC Framework that use the REST plugin. The REST Plugin is using a XStreamHandler with an instance of XStream for deserialization without any type filtering and this can lead to Remote Code Execution when deserializing XML payloads.
Is Spectrum affected by this CVE-2017-9805 vulnerability?
No, Spectrum is not affected by this vulnerability. Spectrum does use Struts 2 MVC Framework but it doesn't user the REST plugin. The REST plugin jar is not shipped as part of Spectrum deployment.
Was this information helpful?