CVE-2017-5638

Name of the Vulnerable Software and Affected Versions Apache Struts versions 2.3.x through 2.3.31 Apache Struts versions 2.5.x through 2.5.10

Description The Jakarta Multipart parser in Apache Struts 2 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header. This issue was exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string. The vulnerability can be used to execute Java code of the attacker's choice on systems that have a vulnerable version of Apache Struts 2 without prior authentication.

Recommendations For Apache Struts versions 2.3.x through 2.3.31, update to version 2.3.32 or later. For Apache Struts versions 2.5.x through 2.5.10, update to version 2.5.10.1 or later. As a temporary workaround, consider disabling the Jakarta Multipart parser until a patch is available. Restrict access to the Content-Type, Content-Disposition, and Content-Length HTTP headers to minimize the risk of exploitation.