This snapshot has the bug.
This directory contains a copy of UnsafeDeserialization.qll, because I get a syntax error when I try to do import Security.CWE.CWE-502.UnsafeDeserialization.
The query is based on an earlier version of one of our default queries: UnsafeDeserialization.ql. When Mo discovered the vulnerability, the standard query did not detect the problem. But Mo realized by studying previous vulnerabilities in Struts that ContentTypeHandler is a source of untrusted input in Struts, so he modified the query to make it a taint source. With that modification, the query found the RCE vulnerability. Our Java team have since improved UnsafeDeserialization.ql so that it is able to detect this vulnerability, so this is a great example of how the work of the Semmle Security Team helps to improve our queries for all our users. It is interesting to compare the result of Mo's query with the new default query, which you can find in the directory Security/CWE/CWE-502/. The source found by the default query is buried deeper in the library than the one found by Mo's query.