Lucene search

K
osvGoogleOSV:GHSA-J77Q-2QQG-6989
HistoryOct 18, 2018 - 7:24 p.m.

Apache Struts vulnerable to remote arbitrary command execution due to improper input validation

2018-10-1819:24:26
Google
osv.dev
163

EPSS

0.975

Percentile

100.0%

Apache Struts versions prior to 2.3.32 and 2.5.10.1 contain incorrect exception handling and error-message generation during file-upload attempts using the Jakarta Multipart parser, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.

References