CVE-2017-5638

CVE Database · CVE-2017-5638

CVE-2017-5638

· CRITICALAnalyzed

CVSS v3.1

9.8

EPSS

100.00%

Published

Mar 10, 2017

Modified

Apr 21, 2026

CISA Known Exploited Vulnerability

Added: 2021-11-03 · Due: 2022-05-03

Apply updates per vendor instructions.

Public PoC / Exploit (12)

All weaponized →

Exploit-DBApache Struts 2.3.5 < 2.3.31 / 2.5 < 2.5.10 - Remote Code Execution Exploit-DBApache Struts 2.3.5 < 2.3.31 / 2.5 < 2.5.10 - 'Jakarta' Multipart Parser OGNL Injection (Metasploit)NucleiNuclei detection template TrickestTrickest PoC index GitHub PoCmazen160/struts-pwn★443 GitHub PoCFlyteas/Struts2-045-Exp★61 GitHub PoCimmunio/apache-struts2-CVE-2017-5638★35 GitHub PoCjas502n/S2-045-EXP-POC-TOOLS★25 GitHub PoCPolarisLab/S2-045★24 GitHub PoCxsscx/cve-2017-5638★21 GitHub PoCjas502n/st2-046-poc★21 GitHub PoCret2jazzy/Struts-Apache-ExploitPack★16

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-755CWE-755

Affected Products (25)

apache · struts (up to 2.3.32)vulnerable

apache · struts (up to 2.5.10.1)vulnerable

ibm · storwize_v3500_firmwarevulnerable

ibm · storwize_v3500

ibm · storwize_v5000_firmwarevulnerable

ibm · storwize_v5000

ibm · storwize_v7000_firmwarevulnerable