CVE-2017-5638 — Apache Struts vulnerable to remote arbitrary command execution due to improper i

Description

Apache Struts versions prior to 2.3.32 and 2.5.10.1 contain incorrect exception handling and error-message generation during file-upload attempts using the Jakarta Multipart parser, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.

How to fix CVE-2017-5638

To remediate CVE-2017-5638, upgrade the affected package to a fixed version below.

—upgrade to 2.3.32 or later

Is CVE-2017-5638 being exploited?

Yes — CVE-2017-5638 is on the CISA Known Exploited Vulnerabilities (KEV) catalog. Patch immediately.

Affected packages (1)

>= 2.3.0, < 2.3.32

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL10.0	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H

References (46)

ADVISORYgithub.com/advisories/GHSA-j77q-2qqg-6989
ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-5638
PATCHgithub.com/apache/struts
WEBblog.talosintelligence.com/2017/03/apache-0-day-exploited.html