CVE-2017-5638
Summary
| CVE | CVE-2017-5638 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2017-03-11 02:59:00 UTC |
| Updated | 2023-11-07 02:49:00 UTC |
| Description | The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string. |
Risk And Classification
EPSS: 0.942670000 probability, percentile 0.999360000 (date 2026-04-01)
CISA KEV: Listed on 2021-11-03; due 2022-05-03; ransomware use Known
Problem Types: CWE-20
CISA Known Exploited Vulnerability
| Vendor | Apache |
|---|---|
| Product | Struts |
| Name | Apache Struts Remote Code Execution Vulnerability |
| Required Action | Apply updates per vendor instructions. |
| Notes | https://nvd.nist.gov/vuln/detail/CVE-2017-5638 |
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Struts | 2.3.10 | All | All | All |
| Application | Apache | Struts | 2.3.11 | All | All | All |
| Application | Apache | Struts | 2.3.12 | All | All | All |
| Application | Apache | Struts | 2.3.13 | All | All | All |
| Application | Apache | Struts | 2.3.14 | All | All | All |
| Application | Apache | Struts | 2.3.14.1 | All | All | All |
| Application | Apache | Struts | 2.3.14.2 | All | All | All |
| Application | Apache | Struts | 2.3.14.3 | All | All | All |
| Application | Apache | Struts | 2.3.15 | All | All | All |
| Application | Apache | Struts | 2.3.15.1 | All | All | All |
| Application | Apache | Struts | 2.3.15.2 | All | All | All |
| Application | Apache | Struts | 2.3.15.3 | All | All | All |
| Application | Apache | Struts | 2.3.16 | All | All | All |
| Application | Apache | Struts | 2.3.16.1 | All | All | All |
| Application | Apache | Struts | 2.3.16.2 | All | All | All |
| Application | Apache | Struts | 2.3.16.3 | All | All | All |
| Application | Apache | Struts | 2.3.17 | All | All | All |
| Application | Apache | Struts | 2.3.19 | All | All | All |
| Application | Apache | Struts | 2.3.20 | All | All | All |
| Application | Apache | Struts | 2.3.20.1 | All | All | All |
| Application | Apache | Struts | 2.3.20.2 | All | All | All |
| Application | Apache | Struts | 2.3.20.3 | All | All | All |
| Application | Apache | Struts | 2.3.21 | All | All | All |
| Application | Apache | Struts | 2.3.22 | All | All | All |
| Application | Apache | Struts | 2.3.23 | All | All | All |
| Application | Apache | Struts | 2.3.24 | All | All | All |
| Application | Apache | Struts | 2.3.24.1 | All | All | All |
| Application | Apache | Struts | 2.3.24.2 | All | All | All |
| Application | Apache | Struts | 2.3.24.3 | All | All | All |
| Application | Apache | Struts | 2.3.25 | All | All | All |
| Application | Apache | Struts | 2.3.26 | All | All | All |
| Application | Apache | Struts | 2.3.27 | All | All | All |
| Application | Apache | Struts | 2.3.28 | All | All | All |
| Application | Apache | Struts | 2.3.28.1 | All | All | All |
| Application | Apache | Struts | 2.3.29 | All | All | All |
| Application | Apache | Struts | 2.3.30 | All | All | All |
| Application | Apache | Struts | 2.3.31 | All | All | All |
| Application | Apache | Struts | 2.3.5 | All | All | All |
| Application | Apache | Struts | 2.3.6 | All | All | All |
| Application | Apache | Struts | 2.3.7 | All | All | All |
| Application | Apache | Struts | 2.3.8 | All | All | All |
| Application | Apache | Struts | 2.3.9 | All | All | All |
| Application | Apache | Struts | 2.5 | All | All | All |
| Application | Apache | Struts | 2.5.1 | All | All | All |
| Application | Apache | Struts | 2.5.10 | All | All | All |
| Application | Apache | Struts | 2.5.2 | All | All | All |
| Application | Apache | Struts | 2.5.3 | All | All | All |
| Application | Apache | Struts | 2.5.4 | All | All | All |
| Application | Apache | Struts | 2.5.5 | All | All | All |
| Application | Apache | Struts | 2.5.6 | All | All | All |
| Application | Apache | Struts | 2.5.7 | All | All | All |
| Application | Apache | Struts | 2.5.8 | All | All | All |
| Application | Apache | Struts | 2.5.9 | All | All | All |
| Application | Apache | Struts | 2.3.10 | All | All | All |
| Application | Apache | Struts | 2.3.11 | All | All | All |
| Application | Apache | Struts | 2.3.12 | All | All | All |
| Application | Apache | Struts | 2.3.13 | All | All | All |
| Application | Apache | Struts | 2.3.14 | All | All | All |
| Application | Apache | Struts | 2.3.14.1 | All | All | All |
| Application | Apache | Struts | 2.3.14.2 | All | All | All |
| Application | Apache | Struts | 2.3.14.3 | All | All | All |
| Application | Apache | Struts | 2.3.15 | All | All | All |
| Application | Apache | Struts | 2.3.15.1 | All | All | All |
| Application | Apache | Struts | 2.3.15.2 | All | All | All |
| Application | Apache | Struts | 2.3.15.3 | All | All | All |
| Application | Apache | Struts | 2.3.16 | All | All | All |
| Application | Apache | Struts | 2.3.16.1 | All | All | All |
| Application | Apache | Struts | 2.3.16.2 | All | All | All |
| Application | Apache | Struts | 2.3.16.3 | All | All | All |
| Application | Apache | Struts | 2.3.17 | All | All | All |
| Application | Apache | Struts | 2.3.19 | All | All | All |
| Application | Apache | Struts | 2.3.20 | All | All | All |
| Application | Apache | Struts | 2.3.20.1 | All | All | All |
| Application | Apache | Struts | 2.3.20.2 | All | All | All |
| Application | Apache | Struts | 2.3.20.3 | All | All | All |
| Application | Apache | Struts | 2.3.21 | All | All | All |
| Application | Apache | Struts | 2.3.22 | All | All | All |
| Application | Apache | Struts | 2.3.23 | All | All | All |
| Application | Apache | Struts | 2.3.24 | All | All | All |
| Application | Apache | Struts | 2.3.24.1 | All | All | All |
| Application | Apache | Struts | 2.3.24.2 | All | All | All |
| Application | Apache | Struts | 2.3.24.3 | All | All | All |
| Application | Apache | Struts | 2.3.25 | All | All | All |
| Application | Apache | Struts | 2.3.26 | All | All | All |
| Application | Apache | Struts | 2.3.27 | All | All | All |
| Application | Apache | Struts | 2.3.28 | All | All | All |
| Application | Apache | Struts | 2.3.28.1 | All | All | All |
| Application | Apache | Struts | 2.3.29 | All | All | All |
| Application | Apache | Struts | 2.3.30 | All | All | All |
| Application | Apache | Struts | 2.3.31 | All | All | All |
| Application | Apache | Struts | 2.3.5 | All | All | All |
| Application | Apache | Struts | 2.3.6 | All | All | All |
| Application | Apache | Struts | 2.3.7 | All | All | All |
| Application | Apache | Struts | 2.3.8 | All | All | All |
| Application | Apache | Struts | 2.3.9 | All | All | All |
| Application | Apache | Struts | 2.5 | All | All | All |
| Application | Apache | Struts | 2.5.1 | All | All | All |
| Application | Apache | Struts | 2.5.10 | All | All | All |
| Application | Apache | Struts | 2.5.2 | All | All | All |
| Application | Apache | Struts | 2.5.3 | All | All | All |
| Application | Apache | Struts | 2.5.4 | All | All | All |
| Application | Apache | Struts | 2.5.5 | All | All | All |
| Application | Apache | Struts | 2.5.6 | All | All | All |
| Application | Apache | Struts | 2.5.7 | All | All | All |
| Application | Apache | Struts | 2.5.8 | All | All | All |
| Application | Apache | Struts | 2.5.9 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| git1-us-west.apache.org/repos/asf | CONFIRM | git1-us-west.apache.org | Patch |
| Apache Struts CVE-2017-5638 Remote Code Execution Vulnerability | BID | www.securityfocus.com | Third Party Advisory, VDB Entry |
| S2-046 - Apache Struts 2 Documentation - Apache Software Foundation | CONFIRM | cwiki.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| HPE Support document - HPE Support Center | CONFIRM | h20566.www2.hpe.com | |
| Vulnerability Note VU#834067 - Apache Struts 2 is vulnerable to remote code execution | CERT-VN | www.kb.cert.org | |
| Struts2 S2-045 Remote Command Execution ≈ Packet Storm | MISC | packetstormsecurity.com | Exploit, VDB Entry |
| S2-045 - Apache Struts 2 Documentation - Apache Software Foundation | CONFIRM | cwiki.apache.org | Mitigation, Vendor Advisory |
| CVE-2017-5638: Apache Struts 2 Vulnerability Leads to Remote Code Execution - TrendLabs Security Intelligence Blog | MISC | blog.trendmicro.com | Technical Description, Third Party Advisory |
| CVE-2017-5638 Apache Struts Vulnerability in Multiple NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | |
| git1-us-west.apache.org/repos/asf | CONFIRM | git1-us-west.apache.org | Patch |
| Cisco's Talos Intelligence Group Blog: Content-Type: Malicious - New Apache Struts2 0-day Under Attack | MISC | blog.talosintelligence.com | Technical Description, Third Party Advisory |
| Pony Mail! | MLIST | lists.apache.org | |
| Critical vulnerability under “massive” attack imperils high-impact sites [Updated] | Ars Technica | MISC | arstechnica.com | Press/Media Coverage |
| www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-002.txt | CONFIRM | www.arubanetworks.com | |
| S2-046 - Apache Struts 2 Documentation - Apache Software Foundation | CONFIRM | struts.apache.org | |
| S2-045 - Apache Struts 2 Documentation - Apache Software Foundation | CONFIRM | struts.apache.org | |
| Apache Struts Open Source Framework Remote Code Execution - US | CONFIRM | support.lenovo.com | |
| HPE Support document - HPE Support Center | CONFIRM | h20566.www2.hpe.com | |
| git1-us-west.apache.org/repos/asf | git1-us-west.apache.org | ||
| git1-us-west.apache.org/repos/asf | git1-us-west.apache.org | ||
| http-vuln-cve2017-5638 NSE Script | MISC | nmap.org | Third Party Advisory |
| HPE Support document - HPE Support Center | CONFIRM | h20566.www2.hpe.com | |
| Apache Struts Vulnerability Under Attack | eWEEK | MISC | www.eweek.com | Press/Media Coverage |
| Pony Mail! | lists.apache.org | ||
| Apache Struts 2.3.5 < 2.3.31 / 2.5 < 2.5.10 - Remote Code Execution | EXPLOIT-DB | exploit-db.com | Exploit, VDB Entry |
| Apache Struts Jakarata Multipart Parser Bug Lets Remote Users Execute Arbitrary Commands on the Target System - SecurityTracker | SECTRACK | www.securitytracker.com | |
| og150 auf Twitter: "Oh dear lord no....... Surely the 'Guest Self Registration' Cisco ISE portal isn't vulnerable :-| #ApacheStruts CVE-2017-5638 https://t.co/fyhYhaWbjX" | MISC | twitter.com | Third Party Advisory |
| Pony Mail! | lists.apache.org | ||
| InfoSec Handlers Diary Blog - Critical Apache Struts 2 Vulnerability (Patch Now!) | MISC | isc.sans.edu | Technical Description, Third Party Advisory |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| GitHub - mazen160/struts-pwn: An exploit for Apache Struts CVE-2017-5638 | MISC | github.com | Exploit |
| CVE-2017-5638 - Apache Struts2 S2-045 · Issue #8064 · rapid7/metasploit-framework · GitHub | MISC | github.com | Exploit |
| SA145 : Apache Struts 2 RCE Vulnerability | CONFIRM | www.symantec.com | |
| Oracle Critical Patch Update - July 2017 | CONFIRM | www.oracle.com | |
| CVE-2017-5638: New Remote Code Execution (RCE) Vulnerability in Apache Struts 2 – Blog | Imperva | MISC | www.imperva.com | |
| Apache Struts Jakarta - Multipart Parser OGNL Injection (Metasploit) | EXPLOIT-DB | www.exploit-db.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
| CISA Known Exploited Vulnerabilities catalog | CISA | www.cisa.gov | kev |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 982310 Java (maven) Security Update for org.apache.struts:struts2-core (GHSA-j77q-2qqg-6989)