CVE-2017-5638
CVE-2017-5638
In short
Apache Struts 2 has a flaw in how it handles file uploads that lets attackers run malicious commands on a server by sending specially crafted HTTP headers. This is a critical vulnerability that was actively exploited in real attacks.
Technical detail
The Jakarta Multipart parser in Apache Struts 2 (versions 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1) improperly handles exceptions during multipart form data processing, allowing remote code execution through OGNL injection via malicious Content-Type, Content-Disposition, or Content-Length headers. The vulnerability requires only network access to an affected application endpoint and no authentication, resulting in arbitrary command execution on the server.
Summary generated and translated by AI from the official description.
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
Apache Software Foundation · Apache Strutspublic PoCs found — 89
githubgithub.com/mazen160/struts-pwn★ 443githubgithub.com/Flyteas/Struts2-045-Exp★ 61githubgithub.com/immunio/apache-struts2-CVE-2017-5638★ 35githubgithub.com/jas502n/S2-045-EXP-POC-TOOLS★ 25githubgithub.com/PolarisLab/S2-045★ 24githubgithub.com/jas502n/st2-046-poc★ 21githubgithub.com/xsscx/cve-2017-5638★ 21githubgithub.com/ret2jazzy/Struts-Apache-ExploitPack★ 16githubgithub.com/win3zz/CVE-2017-5638★ 16githubgithub.com/jrrdev/cve-2017-5638★ 14githubgithub.com/sUbc0ol/Apache-Struts2-RCE-Exploit-v2-CVE-2017-5638★ 13githubgithub.com/Iletee/struts2-rce★ 11githubgithub.com/tahmed11/strutsy★ 10githubgithub.com/initconf/CVE-2017-5638_struts★ 8githubgithub.com/payatu/CVE-2017-5638★ 8githubgithub.com/0x00-0x00/CVE-2017-5638★ 6githubgithub.com/R4v3nBl4ck/Apache-Struts-2-CVE-2017-5638-Exploit-★ 3githubgithub.com/falcon-lnhg/StrutsShell★ 3githubgithub.com/Nithylesh/web-application-firewall-★ 3githubgithub.com/iampetru/PoC-CVE-2017-5638★ 3githubgithub.com/opt9/Strutscli★ 2githubgithub.com/aljazceru/CVE-2017-5638-Apache-Struts2★ 2githubgithub.com/Greynad/struts2-jakarta-inject★ 2githubgithub.com/andypitcher/check_struts★ 2githubgithub.com/lolwaleet/ExpStruts★ 2githubgithub.com/opt9/Strutshock★ 2githubgithub.com/Kouf320/docker-lab-cve-2017-5638-cve-2021-41773★ 2githubgithub.com/jpacora/Struts2Shell★ 1githubgithub.com/Masahiro-Yamada/OgnlContentTypeRejectorValve★ 1githubgithub.com/oktavianto/CVE-2017-5638-Apache-Struts2★ 1githubgithub.com/KarzsGHR/S2-046_S2-045_POC★ 1githubgithub.com/riyazwalikar/struts-rce-cve-2017-5638★ 1githubgithub.com/sighup1/cybersecurity-struts2★ 1githubgithub.com/m3ssap0/struts2_cve-2017-5638★ 1githubgithub.com/ggolawski/struts-rce★ 1githubgithub.com/un4ckn0wl3z/CVE-2017-5638★ 1githubgithub.com/ludy-dev/XworkStruts-RCE★ 1githubgithub.com/jongmartinez/CVE-2017-5638★ 1githubgithub.com/jptr218/struts_hack★ 1githubgithub.com/kloutkake/CVE-2017-5638-PoC★ 1githubgithub.com/haxerr9/CVE-2017-5638★ 1githubgithub.com/ACharaf06/CVE-2017-5638-Attack-and-Defense★ 1githubgithub.com/Xhendos/CVE-2017-5638★ 0githubgithub.com/invisiblethreat/strutser★ 0githubgithub.com/c002/Apache-Struts★ 0githubgithub.com/donaldashdown/Common-Vulnerability-and-Exploit★ 0githubgithub.com/MuhammadAbdullah192/CVE-2017-5638-Remote-Code-Execution-Apache-Struts2-EXPLOITATION★ 0githubgithub.com/cafnet/apache-struts-v2-CVE-2017-5638★ 0githubgithub.com/jrrombaldo/CVE-2017-5638★ 0githubgithub.com/kaylertee/Computer-Security-Equifax-2017★ 0githubgithub.com/sjitech/test_struts2_vulnerability_CVE-2017-5638★ 0githubgithub.com/FozilCV/Apache-Struts2-CVE-2017-5638★ 0githubgithub.com/btamburi/strutszeiro★ 0githubgithub.com/leandrocamposcardoso/CVE-2017-5638-Mass-Exploit★ 0githubgithub.com/bongbongco/cve-2017-5638★ 0githubgithub.com/eeehit/CVE-2017-5638★ 0githubgithub.com/sUbc0ol/Apache-Struts-CVE-2017-5638-RCE-Mass-Scanner★ 0githubgithub.com/gsfish/S2-Reaper★ 0githubgithub.com/random-robbie/CVE-2017-5638★ 0githubgithub.com/TamiiLambrado/Apache-Struts-CVE-2017-5638-RCE-Mass-Scanner★ 0githubgithub.com/colorblindpentester/CVE-2017-5638★ 0githubgithub.com/injcristianrojas/cve-2017-5638★ 0githubgithub.com/soufiane-benchahyd/vulhub-struts2★ 0githubgithub.com/sonatype-workshops/struts2-rce★ 0githubgithub.com/AIPEACS/SC3010-Computer-Security★ 0githubgithub.com/Badbird3/CVE-2017-5638★ 0githubgithub.com/testpilot031/vulnerability_struts-2.3.31★ 0githubgithub.com/readloud/CVE-2017-5638★ 0githubgithub.com/Tankirat/CVE-2017-5638★ 0githubgithub.com/mfdev-solution/Exploit-CVE-2017-5638★ 0githubgithub.com/mritunjay-k/CVE-2017-5638★ 0githubgithub.com/FredBrave/CVE-2017-5638-ApacheStruts2.3.5★ 0githubgithub.com/Majaktech/apache-struts-cve-2017-5638-project★ 0githubgithub.com/Xernary/CVE-2017-5638-POC★ 0githubgithub.com/timothyjxhn/DeliberatelyVulnerableWebApp★ 0githubgithub.com/toothbrushsoapflannelbiscuits/cve-2017-5638★ 0githubgithub.com/Dungsocool/CVE-2017-5638★ 0githubgithub.com/QHxDr-dz/CVE-2017-5638★ 0githubgithub.com/joidiego/Detection-struts-cve-2017-5638-detector★ 0githubgithub.com/Aasron/Struts2-045-Exp★ 0githubgithub.com/SpiderMate/Stutsfi★ 0githubgithub.com/mcassano/cve-2017-5638★ 0githubgithub.com/smancke/CVE-2017-5638★ 0githubgithub.com/homjxi0e/CVE-2017-5638★ 0cve_referencewww.exploit-db.com/exploits/41614/unverifiedexploitdbwww.exploit-db.com/exploits/41570unverifiedexploitdbwww.exploit-db.com/exploits/41614unverifiedcve_referencepacketstormsecurity.com/files/141494/S2-45-poc.py.txtunverifiedcve_referenceexploit-db.com/exploits/41570unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.htmlhttp://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution/https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites/https://cwiki.apache.org/confluence/display/WW/S2-045https://cwiki.apache.org/confluence/display/WW/S2-046https://exploit-db.com/exploits/41570https://git1-us-west.apache.org/repos/asf?p=struts.git%3Ba=commit%3Bh=352306493971e7d5a756d61780d57a76eb1f519ahttps://git1-us-west.apache.org/repos/asf?p=struts.git%3Ba=commit%3Bh=6b8272ce47160036ed120a48345d9aa884477228https://github.com/mazen160/struts-pwnhttps://github.com/rapid7/metasploit-framework/issues/8064https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03733en_ushttps://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03749en_us