Apache Struts (CVE-2017-9805)
Security researchers announced (https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement), on 05 September 2017, a critical remote code execution vulnerability in Apache Struts.
All Struts versions from 2008 are affected making web applications using the REST plugin vulnerable. It is recommended to upgrade to Apache Struts version 2.5.13 or 2.3.34.
Exploitation of the vulnerability allows an attacker to execute arbitrary code on the application server. This can be exploited via a web request that takes advantage of the way Struts de-serializes untrusted data.
It has been claimed that at least 65% of Fortune 100 companies are using web applications built with the Struts framework. Additionally there have been reports of multiple working exploits, for CVE-2017-9805, being observed in the wild.
Since the announcement of CVE-2017-9805, the AppCheck research and development team have created a plugin to detect this in vulnerable Struts applications.