0.975 High
EPSS
Percentile
100.0%
Added: 03/16/2017
CVE: CVE-2017-5638
BID: 96729
Apache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture.
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 improperly handles file upload. Remote attackers can execute arbitrary commands via a “**#cmd=**
” string in a specially crafted Content-Type HTTP header.
Upgrade Struts 2.3.x series to Struts 2.3.32 or later, and Struts 2.5.x series to Struts 2.5.10.1 or later.
<https://cwiki.apache.org/confluence/display/WW/S2-045>
<https://www.exploit-db.com/exploits/41570/>
Exploit works on vulnerable versions of Apache Struts 2.3.5 through 2.3.31 and 2.5 through 2.5.10.
0.975 High
EPSS
Percentile
100.0%