CVE-2017-5638
Known Exploited (CISA KEV)CRITICAL
9.8
CVSS Severity Score
Vulnerability Description
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.
Affected Platforms (CPE)
📦
Apache
Struts
>= 2.2.3 and < 2.3.32📦
Apache
Struts
>= 2.5.0 and < 2.5.10.1💻
Ibm
Storwize V3500 Firmware
= 7.7.1.6💻
Ibm
Storwize V3500 Firmware
= 7.8.1.0💻
Ibm
Storwize V5000 Firmware
= 7.7.1.6💻
Ibm
Storwize V5000 Firmware
= 7.8.1.0💻
Ibm
Storwize V7000 Firmware
= 7.7.1.6💻
Ibm
Storwize V7000 Firmware
= 7.8.1.0💻
Lenovo
Storage V5030 Firmware
= 7.7.1.6💻
Lenovo
Storage V5030 Firmware
= 7.8.1.0📦
Hp
Server Automation
= 9.1.0📦
Hp
Server Automation
= 10.0.0📦
Hp
Server Automation
= 10.1.0📦
Hp
Server Automation
= 10.2.0📦
Hp
Server Automation
= 10.5.0📦
Oracle
Weblogic Server
= 10.3.6.0.0📦
Oracle
Weblogic Server
= 12.1.3.0.0📦
Oracle
Weblogic Server
= 12.2.1.1.0📦
Oracle
Weblogic Server
= 12.2.1.2.0📦
Arubanetworks
Clearpass Policy Manager
< 6.6.5📦
Netapp