Is Spectrum vulnerable to CVE-2017-9805 vulnerability?

Document ID : KB000015898
Last Modified Date : 14/02/2018
Show Technical Document Details

CVE-2017-9805 vulnerability describes a possible Remote Code Execution (RCE) attack when using the Struts REST plugin with XStream handler to handle XML payloads. This is affecting applications which are built using Struts 2.1.2 - Struts 2.3.33, Struts 2.5 - Struts 2.5.12 MVC Framework that use the REST plugin. The REST Plugin is using a XStreamHandler with an instance of XStream for deserialization without any type filtering and this can lead to Remote Code Execution when deserializing XML payloads.


Is Spectrum affected by this CVE-2017-9805 vulnerability?

All Spectrum versions

No, Spectrum is not affected by this vulnerability. Spectrum does use Struts 2 MVC Framework but it doesn't user the REST plugin. The REST plugin jar is not shipped as part of Spectrum deployment.

Additional Information: