Vulnerability Note VU#834067
Apache Struts 2 is vulnerable to remote code execution
Apache Struts, versions 2.3.5 - 2.3.31 and 2.5 - 2.5.10, is vulnerable to code injection leading to remote code execution (RCE).
CWE-94: Improper Control of Generation of Code - CVE-2017-5638
An attacker can execute arbitrary OGNL code included in the "Content-Type" header of a file upload.
An unauthenticated remote attacker can execute arbitrary commands with the privileges of the user running Apache Struts.
Apply an update
If you are unable to update Struts, please see the workaround suggested by Apache here.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Apache Struts||Affected||-||14 Mar 2017|
CVSS Metrics (Learn More)
This document was written by Trent Novelly.
- CVE IDs: CVE-2017-5638
- Date Public: 06 Mar 2017
- Date First Published: 14 Mar 2017
- Date Last Updated: 14 Mar 2017
- Document Revision: 7
If you have feedback, comments, or additional information about this vulnerability, please send us email.