Lucene search

K
nvd[email protected]NVD:CVE-2017-5638
HistoryMar 11, 2017 - 2:59 a.m.

CVE-2017-5638

2017-03-1102:59:00
CWE-20
web.nvd.nist.gov
1

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

10

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

9.1

Confidence

High

EPSS

0.975

Percentile

100.0%

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.

Affected configurations

NVD
Node
apachestrutsMatch2.3.5
OR
apachestrutsMatch2.3.6
OR
apachestrutsMatch2.3.7
OR
apachestrutsMatch2.3.8
OR
apachestrutsMatch2.3.9
OR
apachestrutsMatch2.3.10
OR
apachestrutsMatch2.3.11
OR
apachestrutsMatch2.3.12
OR
apachestrutsMatch2.3.13
OR
apachestrutsMatch2.3.14
OR
apachestrutsMatch2.3.14.1
OR
apachestrutsMatch2.3.14.2
OR
apachestrutsMatch2.3.14.3
OR
apachestrutsMatch2.3.15
OR
apachestrutsMatch2.3.15.1
OR
apachestrutsMatch2.3.15.2
OR
apachestrutsMatch2.3.15.3
OR
apachestrutsMatch2.3.16
OR
apachestrutsMatch2.3.16.1
OR
apachestrutsMatch2.3.16.2
OR
apachestrutsMatch2.3.16.3
OR
apachestrutsMatch2.3.17
OR
apachestrutsMatch2.3.19
OR
apachestrutsMatch2.3.20
OR
apachestrutsMatch2.3.20.1
OR
apachestrutsMatch2.3.20.2
OR
apachestrutsMatch2.3.20.3
OR
apachestrutsMatch2.3.21
OR
apachestrutsMatch2.3.22
OR
apachestrutsMatch2.3.23
OR
apachestrutsMatch2.3.24
OR
apachestrutsMatch2.3.24.1
OR
apachestrutsMatch2.3.24.2
OR
apachestrutsMatch2.3.24.3
OR
apachestrutsMatch2.3.25
OR
apachestrutsMatch2.3.26
OR
apachestrutsMatch2.3.27
OR
apachestrutsMatch2.3.28
OR
apachestrutsMatch2.3.28.1
OR
apachestrutsMatch2.3.29
OR
apachestrutsMatch2.3.30
OR
apachestrutsMatch2.3.31
Node
apachestrutsMatch2.5
OR
apachestrutsMatch2.5.1
OR
apachestrutsMatch2.5.2
OR
apachestrutsMatch2.5.3
OR
apachestrutsMatch2.5.4
OR
apachestrutsMatch2.5.5
OR
apachestrutsMatch2.5.6
OR
apachestrutsMatch2.5.7
OR
apachestrutsMatch2.5.8
OR
apachestrutsMatch2.5.9
OR
apachestrutsMatch2.5.10

References

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

10

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

9.1

Confidence

High

EPSS

0.975

Percentile

100.0%