CVE-2017-5638
Apache Struts Remote Code Execution Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
27Exploited in Wild
YesDecision
Descriptions
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.
El analizador sintáctico Jakarta Multipart en Apache Struts 2 en versiones 2.3.x anteriores a la 2.3.32 y versiones 2.5.x anteriores a la 2.5.10.1 no maneja correctamente las excepciones y la generación de mensajes de error, lo que permite a atacantes remotos ejecutar comandos arbitrarios a través de una cadena #cmd= en un encabezado HTTP de Content-Type, Content-Disposition o Content-Length manipulado.
Apache Struts Jakarta Multipart parser allows for malicious file upload using the Content-Type value, leading to remote code execution.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2017-01-29 CVE Reserved
- 2017-03-07 First Exploit
- 2017-03-10 CVE Published
- 2021-11-03 Exploited in Wild
- 2022-05-03 KEV Due Date
- 2024-08-05 CVE Updated
- 2024-08-21 EPSS Updated
CWE
- CWE-20: Improper Input Validation
CAPEC
References (55)
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://cwiki.apache.org/confluence/display/WW/S2-045 | 2017-03-07 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.3.5 Search vendor "Apache" for product "Struts" and version "2.3.5" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.3.6 Search vendor "Apache" for product "Struts" and version "2.3.6" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.3.7 Search vendor "Apache" for product "Struts" and version "2.3.7" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.3.8 Search vendor "Apache" for product "Struts" and version "2.3.8" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.3.9 Search vendor "Apache" for product "Struts" and version "2.3.9" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.3.10 Search vendor "Apache" for product "Struts" and version "2.3.10" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.3.11 Search vendor "Apache" for product "Struts" and version "2.3.11" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.3.12 Search vendor "Apache" for product "Struts" and version "2.3.12" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.3.13 Search vendor "Apache" for product "Struts" and version "2.3.13" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.3.14 Search vendor "Apache" for product "Struts" and version "2.3.14" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.3.14.1 Search vendor "Apache" for product "Struts" and version "2.3.14.1" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.3.14.2 Search vendor "Apache" for product "Struts" and version "2.3.14.2" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.3.14.3 Search vendor "Apache" for product "Struts" and version "2.3.14.3" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.3.15 Search vendor "Apache" for product "Struts" and version "2.3.15" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.3.15.1 Search vendor "Apache" for product "Struts" and version "2.3.15.1" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.3.15.2 Search vendor "Apache" for product "Struts" and version "2.3.15.2" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.3.15.3 Search vendor "Apache" for product "Struts" and version "2.3.15.3" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.3.16 Search vendor "Apache" for product "Struts" and version "2.3.16" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.3.16.1 Search vendor "Apache" for product "Struts" and version "2.3.16.1" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.3.16.2 Search vendor "Apache" for product "Struts" and version "2.3.16.2" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.3.16.3 Search vendor "Apache" for product "Struts" and version "2.3.16.3" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.3.17 Search vendor "Apache" for product "Struts" and version "2.3.17" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.3.19 Search vendor "Apache" for product "Struts" and version "2.3.19" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.3.20 Search vendor "Apache" for product "Struts" and version "2.3.20" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.3.20.1 Search vendor "Apache" for product "Struts" and version "2.3.20.1" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.3.20.2 Search vendor "Apache" for product "Struts" and version "2.3.20.2" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.3.20.3 Search vendor "Apache" for product "Struts" and version "2.3.20.3" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.3.21 Search vendor "Apache" for product "Struts" and version "2.3.21" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.3.22 Search vendor "Apache" for product "Struts" and version "2.3.22" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.3.23 Search vendor "Apache" for product "Struts" and version "2.3.23" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.3.24 Search vendor "Apache" for product "Struts" and version "2.3.24" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.3.24.1 Search vendor "Apache" for product "Struts" and version "2.3.24.1" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.3.24.2 Search vendor "Apache" for product "Struts" and version "2.3.24.2" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.3.24.3 Search vendor "Apache" for product "Struts" and version "2.3.24.3" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.3.25 Search vendor "Apache" for product "Struts" and version "2.3.25" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.3.26 Search vendor "Apache" for product "Struts" and version "2.3.26" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.3.27 Search vendor "Apache" for product "Struts" and version "2.3.27" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.3.28 Search vendor "Apache" for product "Struts" and version "2.3.28" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.3.28.1 Search vendor "Apache" for product "Struts" and version "2.3.28.1" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.3.29 Search vendor "Apache" for product "Struts" and version "2.3.29" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.3.30 Search vendor "Apache" for product "Struts" and version "2.3.30" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.3.31 Search vendor "Apache" for product "Struts" and version "2.3.31" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.5 Search vendor "Apache" for product "Struts" and version "2.5" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.5.1 Search vendor "Apache" for product "Struts" and version "2.5.1" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.5.2 Search vendor "Apache" for product "Struts" and version "2.5.2" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.5.3 Search vendor "Apache" for product "Struts" and version "2.5.3" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.5.4 Search vendor "Apache" for product "Struts" and version "2.5.4" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.5.5 Search vendor "Apache" for product "Struts" and version "2.5.5" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.5.6 Search vendor "Apache" for product "Struts" and version "2.5.6" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.5.7 Search vendor "Apache" for product "Struts" and version "2.5.7" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.5.8 Search vendor "Apache" for product "Struts" and version "2.5.8" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.5.9 Search vendor "Apache" for product "Struts" and version "2.5.9" | - |
Affected
| ||||||
Apache Search vendor "Apache" | Struts Search vendor "Apache" for product "Struts" | 2.5.10 Search vendor "Apache" for product "Struts" and version "2.5.10" | - |
Affected
|