The REST Plugin in Apache Struts 2.1.x, 2.3.7 through 2.3.33 and 2.5 through 2.5.12 is using an outdated XStream library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted XML payload.
{
"unresolved_ranges": [
{
"extracted_events": [
{
"introduced": "2.3.7"
},
{
"last_affected": "2.3.7"
}
],
"source": "CPE_STRING",
"vendor_product": "apache:struts",
"cpes": [
"cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:*"
]
}
]
}{
"source": "CPE_STRING",
"cpe": [
"cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.3.9:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.3.10:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.3.11:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.3.13:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.3.17:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.3.19:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.3.20.2:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.3.21:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.3.22:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.3.23:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.3.24.2:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.3.24.3:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.3.25:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.3.26:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.3.27:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.3.28:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.3.28.1:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.3.29:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.3.30:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.3.31:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.3.32:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.3.33:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.5:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.5:beta1:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.5:beta2:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.5:beta3:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.5.1:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.5.2:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.5.3:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.5.4:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.5.5:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.5.6:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.5.7:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.5.8:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.5.9:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.5.10:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.5.10.1:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:struts:2.5.12:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "2.3.7"
},
{
"last_affected": "2.3.7"
},
{
"introduced": "2.3.8"
},
{
"last_affected": "2.3.8"
},
{
"introduced": "2.3.9"
},
{
"last_affected": "2.3.9"
},
{
"introduced": "2.3.10"
},
{
"last_affected": "2.3.10"
},
{
"introduced": "2.3.11"
},
{
"last_affected": "2.3.11"
},
{
"introduced": "2.3.12"
},
{
"last_affected": "2.3.12"
},
{
"introduced": "2.3.13"
},
{
"last_affected": "2.3.13"
},
{
"introduced": "2.3.14"
},
{
"last_affected": "2.3.14"
},
{
"introduced": "2.3.14.1"
},
{
"last_affected": "2.3.14.1"
},
{
"introduced": "2.3.14.2"
},
{
"last_affected": "2.3.14.2"
},
{
"introduced": "2.3.14.3"
},
{
"last_affected": "2.3.14.3"
},
{
"introduced": "2.3.15"
},
{
"last_affected": "2.3.15"
},
{
"introduced": "2.3.15.1"
},
{
"last_affected": "2.3.15.1"
},
{
"introduced": "2.3.15.2"
},
{
"last_affected": "2.3.15.2"
},
{
"introduced": "2.3.15.3"
},
{
"last_affected": "2.3.15.3"
},
{
"introduced": "2.3.16"
},
{
"last_affected": "2.3.16"
},
{
"introduced": "2.3.16.1"
},
{
"last_affected": "2.3.16.1"
},
{
"introduced": "2.3.16.2"
},
{
"last_affected": "2.3.16.2"
},
{
"introduced": "2.3.16.3"
},
{
"last_affected": "2.3.16.3"
},
{
"introduced": "2.3.17"
},
{
"last_affected": "2.3.17"
},
{
"introduced": "2.3.19"
},
{
"last_affected": "2.3.19"
},
{
"introduced": "2.3.20"
},
{
"last_affected": "2.3.20"
},
{
"introduced": "2.3.20.1"
},
{
"last_affected": "2.3.20.1"
},
{
"introduced": "2.3.20.2"
},
{
"last_affected": "2.3.20.2"
},
{
"introduced": "2.3.21"
},
{
"last_affected": "2.3.21"
},
{
"introduced": "2.3.22"
},
{
"last_affected": "2.3.22"
},
{
"introduced": "2.3.23"
},
{
"last_affected": "2.3.23"
},
{
"introduced": "2.3.24.2"
},
{
"last_affected": "2.3.24.2"
},
{
"introduced": "2.3.24.3"
},
{
"last_affected": "2.3.24.3"
},
{
"introduced": "2.3.25"
},
{
"last_affected": "2.3.25"
},
{
"introduced": "2.3.26"
},
{
"last_affected": "2.3.26"
},
{
"introduced": "2.3.27"
},
{
"last_affected": "2.3.27"
},
{
"introduced": "2.3.28"
},
{
"last_affected": "2.3.28"
},
{
"introduced": "2.3.28.1"
},
{
"last_affected": "2.3.28.1"
},
{
"introduced": "2.3.29"
},
{
"last_affected": "2.3.29"
},
{
"introduced": "2.3.30"
},
{
"last_affected": "2.3.30"
},
{
"introduced": "2.3.31"
},
{
"last_affected": "2.3.31"
},
{
"introduced": "2.3.32"
},
{
"last_affected": "2.3.32"
},
{
"introduced": "2.3.33"
},
{
"last_affected": "2.3.33"
},
{
"introduced": "2.5"
},
{
"last_affected": "2.5"
},
{
"introduced": "2.5-beta1"
},
{
"last_affected": "2.5-beta1"
},
{
"introduced": "2.5-beta2"
},
{
"last_affected": "2.5-beta2"
},
{
"introduced": "2.5-beta3"
},
{
"last_affected": "2.5-beta3"
},
{
"introduced": "2.5.1"
},
{
"last_affected": "2.5.1"
},
{
"introduced": "2.5.2"
},
{
"last_affected": "2.5.2"
},
{
"introduced": "2.5.3"
},
{
"last_affected": "2.5.3"
},
{
"introduced": "2.5.4"
},
{
"last_affected": "2.5.4"
},
{
"introduced": "2.5.5"
},
{
"last_affected": "2.5.5"
},
{
"introduced": "2.5.6"
},
{
"last_affected": "2.5.6"
},
{
"introduced": "2.5.7"
},
{
"last_affected": "2.5.7"
},
{
"introduced": "2.5.8"
},
{
"last_affected": "2.5.8"
},
{
"introduced": "2.5.9"
},
{
"last_affected": "2.5.9"
},
{
"introduced": "2.5.10"
},
{
"last_affected": "2.5.10"
},
{
"introduced": "2.5.10.1"
},
{
"last_affected": "2.5.10.1"
},
{
"introduced": "2.5.12"
},
{
"last_affected": "2.5.12"
}
]
}