Attacker Value
Very High
(2 users assessed)
Exploitability
Very High
(2 users assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
1

CVE-2017-5638

Disclosure Date: March 11, 2017
Exploited in the Wild
Reported by AttackerKB Worker and 1 more...
View Source Details
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.

Add Assessment

1
Ratings
Technical Analysis

This popped Equifax. Vulnerable versions of Struts are exploitable out of the box, since this was a parser flaw. Make sure this is patched!

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

This CVE made it into US-CERT’s “Top 10” bulletin released in May, 2020 – https://www.us-cert.gov/ncas/alerts/aa20-133a / https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a

  • Vulnerable Products: Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1
  • Associated Malware: JexBoss
  • Mitigation: Upgrade to Struts 2.3.32 or Struts 2.5.10.1
CVSS V3 Severity and Metrics
Base Score:
None
Impact Score:
Unknown
Exploitability Score:
Unknown
Vector:
Unknown
Attack Vector (AV):
Unknown
Attack Complexity (AC):
Unknown
Privileges Required (PR):
Unknown
User Interaction (UI):
Unknown
Scope (S):
Unknown
Confidentiality (C):
Unknown
Integrity (I):
Unknown
Availability (A):
Unknown

General Information

Vendors

  • apache

Products

  • struts 2.3.10,
  • struts 2.3.11,
  • struts 2.3.12,
  • struts 2.3.13,
  • struts 2.3.14,
  • struts 2.3.14.1,
  • struts 2.3.14.2,
  • struts 2.3.14.3,
  • struts 2.3.15,
  • struts 2.3.15.1,
  • struts 2.3.15.2,
  • struts 2.3.15.3,
  • struts 2.3.16,
  • struts 2.3.16.1,
  • struts 2.3.16.2,
  • struts 2.3.16.3,
  • struts 2.3.17,
  • struts 2.3.19,
  • struts 2.3.20,
  • struts 2.3.20.1,
  • struts 2.3.20.2,
  • struts 2.3.20.3,
  • struts 2.3.21,
  • struts 2.3.22,
  • struts 2.3.23,
  • struts 2.3.24,
  • struts 2.3.24.1,
  • struts 2.3.24.2,
  • struts 2.3.24.3,
  • struts 2.3.25,
  • struts 2.3.26,
  • struts 2.3.27,
  • struts 2.3.28,
  • struts 2.3.28.1,
  • struts 2.3.29,
  • struts 2.3.30,
  • struts 2.3.31,
  • struts 2.3.5,
  • struts 2.3.6,
  • struts 2.3.7,
  • struts 2.3.8,
  • struts 2.3.9,
  • struts 2.5,
  • struts 2.5.1,
  • struts 2.5.10,
  • struts 2.5.2,
  • struts 2.5.3,
  • struts 2.5.4,
  • struts 2.5.5,
  • struts 2.5.6,
  • struts 2.5.7,
  • struts 2.5.8,
  • struts 2.5.9

Exploited in the Wild

Reported by:

References

Advisory

Additional Info

Technical Analysis