The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.
Metrics
Affected Vendors & Products
References
History
Wed, 14 Aug 2024 00:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
|
MITRE
Status: PUBLISHED
Assigner: apache
Published: 2017-03-11T02:11:00
Updated: 2024-08-05T15:04:15.370Z
Reserved: 2017-01-29T00:00:00
Link: CVE-2017-5638
Vulnrichment
No data.
NVD
Status : Modified
Published: 2017-03-11T02:59:00.150
Modified: 2024-11-21T03:28:04.340
Link: CVE-2017-5638
Redhat