Apache Struts, versions 2.3.5 - 2.3.31 and 2.5 - 2.5.10, is vulnerable to code injection leading to remote code execution (RCE).
CWE-94: Improper Control of Generation of Code - CVE-2017-5638
An attacker can execute arbitrary OGNL code included in the “Content-Type” header of a file upload.
This vulnerability is actively being exploited.
An unauthenticated remote attacker can execute arbitrary commands with the privileges of the user running Apache Struts.
Apply an update
Update to Apache Struts 2.3.32 or 2.5.10.1
If you are unable to update Struts, please see the workaround suggested by Apache here.
834067
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Updated: March 14, 2017
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Group | Score | Vector |
---|---|---|
Base | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Temporal | 8.7 | E:H/RL:OF/RC:C |
Environmental | 8.7 | CDP:N/TD:H/CR:ND/IR:ND/AR:ND |
This document was written by Trent Novelly.
CVE IDs: | CVE-2017-5638 |
---|---|
Date Public: | 2017-03-06 Date First Published: |
blog.talosintelligence.com/2017/03/apache-0-day-exploited.html
blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution/
cwe.mitre.org/data/definitions/94.html
cwiki.apache.org/confluence/display/WW/S2-045
github.com/rapid7/metasploit-framework/issues/8064
www.exploit-db.com/exploits/41570/
www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/