Critical severity9.8CISA KEVNVD Advisory· Published Mar 11, 2017· Updated Apr 21, 2026
CVE-2017-5638
CVE-2017-5638
Description
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.struts:struts2-coreMaven | >= 2.3.0, < 2.3.32 | 2.3.32 |
org.apache.struts:struts2-coreMaven | >= 2.5.0, < 2.5.10.1 | 2.5.10.1 |
Affected products
20- cpe:2.3:a:arubanetworks:clearpass_policy_manager:*:*:*:*:*:*:*:*Range: <6.6.5
cpe:2.3:a:hp:server_automation:10.0.0:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:a:hp:server_automation:10.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:hp:server_automation:10.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:hp:server_automation:10.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:hp:server_automation:10.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:hp:server_automation:9.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:oncommand_balance:-:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*+ 3 more
- cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:weblogic_server:12.2.1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:weblogic_server:12.2.1.2.0:*:*:*:*:*:*:*
cpe:2.3:o:ibm:storwize_v3500_firmware:7.7.1.6:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:ibm:storwize_v3500_firmware:7.7.1.6:*:*:*:*:*:*:*
- cpe:2.3:o:ibm:storwize_v3500_firmware:7.8.1.0:*:*:*:*:*:*:*
cpe:2.3:o:ibm:storwize_v5000_firmware:7.7.1.6:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:ibm:storwize_v5000_firmware:7.7.1.6:*:*:*:*:*:*:*
- cpe:2.3:o:ibm:storwize_v5000_firmware:7.8.1.0:*:*:*:*:*:*:*
cpe:2.3:o:ibm:storwize_v7000_firmware:7.7.1.6:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:ibm:storwize_v7000_firmware:7.7.1.6:*:*:*:*:*:*:*
- cpe:2.3:o:ibm:storwize_v7000_firmware:7.8.1.0:*:*:*:*:*:*:*
cpe:2.3:o:lenovo:storage_v5030_firmware:7.7.1.6:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:lenovo:storage_v5030_firmware:7.7.1.6:*:*:*:*:*:*:*
- cpe:2.3:o:lenovo:storage_v5030_firmware:7.8.1.0:*:*:*:*:*:*:*
Patches
41ed29d508fc0376a891aeed6352306493971https://github.com/apache/strutsvia ghsa
b06dd50af2a3https://github.com/apache/strutsvia ghsa
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
49- www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.htmlnvdPatchThird Party AdvisoryWEB
- blog.talosintelligence.com/2017/03/apache-0-day-exploited.htmlnvdExploitThird Party AdvisoryWEB
- blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution/nvdExploitThird Party Advisory
- arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites/nvdExploitPress/Media Coverage
- exploit-db.com/exploits/41570nvdExploitThird Party AdvisoryVDB EntryWEB
- github.com/rapid7/metasploit-framework/issues/8064nvdExploitIssue TrackingWEB
- isc.sans.edu/diary/22169nvdExploitThird Party AdvisoryWEB
- nmap.org/nsedoc/scripts/http-vuln-cve2017-5638.htmlnvdExploitThird Party AdvisoryWEB
- packetstormsecurity.com/files/141494/S2-45-poc.py.txtnvdExploitThird Party AdvisoryVDB EntryBroken LinkWEB
- www.exploit-db.com/exploits/41614/nvdExploitThird Party AdvisoryVDB Entry
- www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-002.txtnvdThird Party AdvisoryWEB
- www.eweek.com/security/apache-struts-vulnerability-under-attack.htmlnvdPress/Media CoverageThird Party AdvisoryWEB
- www.securityfocus.com/bid/96729nvdBroken LinkThird Party AdvisoryVDB EntryWEB
- www.securitytracker.com/id/1037973nvdBroken LinkThird Party AdvisoryVDB EntryWEB
- cwiki.apache.org/confluence/display/WW/S2-045nvdMitigationVendor AdvisoryWEB
- cwiki.apache.org/confluence/display/WW/S2-046nvdMitigationVendor AdvisoryWEB
- github.com/advisories/GHSA-j77q-2qqg-6989ghsaADVISORY
- h20566.www2.hpe.com/hpsc/doc/public/displaynvdThird Party AdvisoryWEB
- h20566.www2.hpe.com/hpsc/doc/public/displaynvdThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2017-5638ghsaADVISORY
- security.netapp.com/advisory/ntap-20170310-0001/nvdThird Party Advisory
- struts.apache.org/docs/s2-045.htmlnvdMitigationVendor AdvisoryWEB
- struts.apache.org/docs/s2-046.htmlnvdMitigationVendor AdvisoryWEB
- support.lenovo.com/us/en/product_security/len-14200nvdThird Party AdvisoryWEB
- twitter.com/theog150/status/841146956135124993nvdBroken LinkThird Party AdvisoryWEB
- www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/nvdThird Party Advisory
- www.kb.cert.org/vuls/id/834067nvdThird Party AdvisoryUS Government ResourceWEB
- blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-executionghsaWEB
- arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sitesghsaWEB
- git1-us-west.apache.org/repos/asfnvdBroken LinkWEB
- git1-us-west.apache.org/repos/asfnvdBroken LinkWEB
- git1-us-west.apache.org/repos/asfghsaWEB
- git1-us-west.apache.org/repos/asfghsaWEB
- github.com/apache/struts/commit/352306493971e7d5a756d61780d57a76eb1f519aghsaWEB
- github.com/apache/struts/commit/b06dd50af2a3319dd896bf5c2f4972d2b772cf2bghsaWEB
- h20566.www2.hpe.com/hpsc/doc/public/displaynvdBroken LinkWEB
- lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3EnvdMailing ListWEB
- lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7@%3Cannounce.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3EnvdMailing ListWEB
- lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3EnvdMailing ListWEB
- lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922@%3Cannounce.apache.org%3EghsaWEB
- security.netapp.com/advisory/ntap-20170310-0001ghsaWEB
- web.archive.org/web/20170311203630/http://www.securityfocus.com/bid/96729ghsaWEB
- web.archive.org/web/20170921030226/http://www.securitytracker.com/id/1037973ghsaWEB
- www.cisa.gov/known-exploited-vulnerabilities-catalognvdUS Government ResourceWEB
- www.exploit-db.com/exploits/41614ghsaWEB
- www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2ghsaWEB
- www.symantec.com/security-center/network-protection-security-advisories/SA145nvdBroken LinkWEB
News mentions
0No linked articles in our index yet.