The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.
Metrics
Affected Vendors & Products
References
History
Thu, 06 Feb 2025 21:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
kev
|
Wed, 14 Aug 2024 00:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
|

Status: PUBLISHED
Assigner: apache
Published:
Updated: 2025-02-06T21:14:30.267Z
Reserved: 2017-01-29T00:00:00.000Z
Link: CVE-2017-5638

Updated: 2024-08-05T15:04:15.370Z

Status : Modified
Published: 2017-03-11T02:59:00.150
Modified: 2025-02-06T22:15:32.190
Link: CVE-2017-5638
