CRITICAL🚩 CISA KEV⚡ EXPLOIT✓ PATCH🇵🇱 Wersja polska

CVE-2017-5638

CVSS 9.8v3.1pub. 2017-03-11upd. 2026-04-21

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apache Struts

    APP
    Apache
    2.2.3 – 2.3.32 (bez)2.5.0 – 2.5.10.1 (bez)
  • Arubanetworks Clearpass Policy Manager

    APP
    Arubanetworks
    < 6.6.5
  • HP Server Automation

    APP
    Hp
    10.0.010.1.010.2.010.5.09.1.0
  • IBM Storwize V3500

    HW
    Ibm
    wszystkie wersje
  • IBM Storwize V3500 Firmware

    OS
    Ibm
    7.7.1.67.8.1.0
  • IBM Storwize V5000

    HW
    Ibm
    wszystkie wersje
  • IBM Storwize V5000 Firmware

    OS
    Ibm
    7.7.1.67.8.1.0
  • IBM Storwize V7000

    HW
    Ibm
    wszystkie wersje
  • IBM Storwize V7000 Firmware

    OS
    Ibm
    7.7.1.67.8.1.0
  • Lenovo Storage V5030

    HW
    Lenovo
    wszystkie wersje
  • Lenovo Storage V5030 Firmware

    OS
    Lenovo
    7.7.1.67.8.1.0
  • Netapp Oncommand Balance

    APP
    Netapp
    wszystkie wersje
  • Oracle Weblogic Server

    APP
    Oracle
    10.3.6.0.012.1.3.0.012.2.1.1.012.2.1.2.0

CISA KEV — detailsi

Vendori
Apache
Producti
Struts
Added to KEVi
November 3, 2021
Remediation deadline (US Federal)i
May 3, 2022(overdue)
Ransomwarei
Active ransomware campaigns exploit this vulnerability
Required action (CISA)i

Apply updates per vendor instructions.

CISA descriptioni

Apache Struts Jakarta Multipart parser allows for malicious file upload using the Content-Type value, leading to remote code execution.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
☠️WYKORZYSTYWANE W RANSOMWARECISA DEADLINE: 3 maja 2022
CWE
References

Related vulnerabilities

CVE-2022-22965CRITICAL9.8⚠ KEVten sam produkt

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) ...

CVE-2020-17530CRITICAL9.8⚠ KEVten sam produkt

Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution....

CVE-2020-14750CRITICAL9.8⚠ KEVten sam produkt

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supporte...

CVE-2020-14882CRITICAL9.8⚠ KEVten sam produkt

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supporte...

CVE-2020-14644CRITICAL9.8⚠ KEVten sam produkt

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported v...