CVE-2017-5638

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
11/03/2017
Last modified:
20/04/2025

Description

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:* 2.2.3 (including) 2.3.32 (excluding)
cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:* 2.5.0 (including) 2.5.10.1 (excluding)
cpe:2.3:o:ibm:storwize_v3500_firmware:7.7.1.6:*:*:*:*:*:*:*
cpe:2.3:o:ibm:storwize_v3500_firmware:7.8.1.0:*:*:*:*:*:*:*
cpe:2.3:h:ibm:storwize_v3500:-:*:*:*:*:*:*:*
cpe:2.3:o:ibm:storwize_v5000_firmware:7.7.1.6:*:*:*:*:*:*:*
cpe:2.3:o:ibm:storwize_v5000_firmware:7.8.1.0:*:*:*:*:*:*:*
cpe:2.3:h:ibm:storwize_v5000:-:*:*:*:*:*:*:*
cpe:2.3:o:ibm:storwize_v7000_firmware:7.7.1.6:*:*:*:*:*:*:*
cpe:2.3:o:ibm:storwize_v7000_firmware:7.8.1.0:*:*:*:*:*:*:*
cpe:2.3:h:ibm:storwize_v7000:-:*:*:*:*:*:*:*
cpe:2.3:o:lenovo:storage_v5030_firmware:7.7.1.6:*:*:*:*:*:*:*
cpe:2.3:o:lenovo:storage_v5030_firmware:7.8.1.0:*:*:*:*:*:*:*
cpe:2.3:h:lenovo:storage_v5030:-:*:*:*:*:*:*:*
cpe:2.3:a:hp:server_automation:9.1.0:*:*:*:*:*:*:*


References to Advisories, Solutions, and Tools