Vulnerability & Exploit Database

Back to search

Apache Struts 2 REST Plugin XStream RCE

Apache Struts versions 2.1.2 - 2.3.33 and Struts 2.5 - Struts 2.5.12, using the REST plugin, are vulnerable to a Java deserialization attack in the XStream library.

Free Metasploit Download

Get your copy of the world's leading penetration testing tool

 Download Now

Module Name

exploit/multi/http/struts2_rest_xstream

Authors

  • Man Yue Mo
  • wvu <wvu [at] metasploit.com>

References

Targets

  • Unix (In-Memory)
  • Python (In-Memory)
  • Linux (Dropper)
  • Windows (Dropper)

Platforms

  • unix
  • python
  • linux
  • windows

Architectures

  • cmd
  • python
  • x86
  • x64
  • cmd
  • python
  • x86, x64

Reliability

Development

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/multi/http/struts2_rest_xstream msf exploit(struts2_rest_xstream) > show targets ...targets... msf exploit(struts2_rest_xstream) > set TARGET <target-id> msf exploit(struts2_rest_xstream) > show options ...show and set options... msf exploit(struts2_rest_xstream) > exploit

Related Vulnerabilities