Apache Struts 2.3.5 < 2.3.32 / 2.5.x < 2.5.10.1 Remote Code Execution (S2-045 / S2-046)

critical Web Application Scanning Plugin ID 112726

Synopsis

Apache Struts 2.3.5 < 2.3.32 / 2.5.x < 2.5.10.1 Remote Code Execution (S2-045 / S2-046)

Description

The Jakarta Multipart parser in Apache Struts 2 2.3.5 to 2.3.31 and 2.5.x to 2.5.10 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.

Solution

Upgrade to Apache Struts 2 2.3.32, 2.5.10.1 or later.

See Also

https://cwiki.apache.org/confluence/display/WW/S2-045

https://cwiki.apache.org/confluence/display/WW/S2-046

Plugin Details

Severity: Critical

ID: 112726

Type: remote

Published: 3/30/2021

Updated: 9/7/2021

Scan Template: scan, api, pci

Risk Information

CVSS Score Source: CVE-2017-5638

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: Critical

Base Score: 10

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 3/10/2017

Reference Information

CVE: CVE-2017-5638