CVE-2017-5638 is a vulnerability in Apache Struts
Published on March 11, 2017

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.

Vendor Advisory NVD

Known Exploited Vulnerability

This Apache Struts Jakarta Multipart parser exception handling vulnerability is part of CISA's list of Known Exploited Vulnerabilities. The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.

The following remediation steps are recommended / required by May 3, 2022: Apply updates per vendor instructions.

Vulnerability Analysis

CVE-2017-5638 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Products Associated with CVE-2017-5638

You can be notified by stack.watch whenever vulnerabilities like CVE-2017-5638 are published in these products:

Apache Struts

What versions of Struts are vulnerable to CVE-2017-5638?

Apache Struts Version 2.3.5
Apache Struts Version 2.3.6
Apache Struts Version 2.3.7
Apache Struts Version 2.3.8
Apache Struts Version 2.3.9
Apache Struts Version 2.3.10
Apache Struts Version 2.3.11
Apache Struts Version 2.3.12
Apache Struts Version 2.3.13
Apache Struts Version 2.3.14
Apache Struts Version 2.3.14.1
Apache Struts Version 2.3.14.2
Apache Struts Version 2.3.14.3
Apache Struts Version 2.3.15
Apache Struts Version 2.3.15.1
Apache Struts Version 2.3.15.2
Apache Struts Version 2.3.15.3
Apache Struts Version 2.3.16
Apache Struts Version 2.3.16.1
Apache Struts Version 2.3.16.2
Apache Struts Version 2.3.16.3
Apache Struts Version 2.3.17
Apache Struts Version 2.3.19
Apache Struts Version 2.3.20
Apache Struts Version 2.3.20.1
Apache Struts Version 2.3.20.2
Apache Struts Version 2.3.20.3
Apache Struts Version 2.3.21
Apache Struts Version 2.3.22
Apache Struts Version 2.3.23
Apache Struts Version 2.3.24
Apache Struts Version 2.3.24.1
Apache Struts Version 2.3.24.2
Apache Struts Version 2.3.24.3
Apache Struts Version 2.3.25
Apache Struts Version 2.3.26
Apache Struts Version 2.3.27
Apache Struts Version 2.3.28
Apache Struts Version 2.3.28.1
Apache Struts Version 2.3.29
Apache Struts Version 2.3.30
Apache Struts Version 2.3.31