1. Home
  2. Mapping Frameworks
  3. Known Exploited Vulnerabilities Home
  4. Apache Struts Remote Code Execution Vulnerability

Known Exploited Vulnerabilities CVE-2017-5638

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CVE-2017-5638 Apache Struts Remote Code Execution Vulnerability secondary_impact T1005 Data from Local System
Comments
CVE-2017-5638 is a remote code execution vulnerability in Apache Struts Jakarta Multipart versions that allows for malicious file upload using Content-Type, Content-Disposition, or Content-Length HTTP headers during file-upload attempts leading to an attacker to execute arbitrary commands. This CVE was known to be exploited during the Equifax breach.
References
  1. https://securityaffairs.com/63043/hacking/equifax-data-breach.html
  2. https://www.synopsys.com/blogs/software-security/equifax-apache-struts-vulnerability-cve-2017-5638.html
CVE-2017-5638 Apache Struts Remote Code Execution Vulnerability primary_impact T1059 Command and Scripting Interpreter
Comments
CVE-2017-5638 is a remote code execution vulnerability in Apache Struts Jakarta Multipart versions that allows for malicious file upload using Content-Type, Content-Disposition, or Content-Length HTTP headers during file-upload attempts leading to an attacker to execute arbitrary commands. This CVE was known to be exploited during the Equifax breach.
References
  1. https://securityaffairs.com/63043/hacking/equifax-data-breach.html
  2. https://www.synopsys.com/blogs/software-security/equifax-apache-struts-vulnerability-cve-2017-5638.html
CVE-2017-5638 Apache Struts Remote Code Execution Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
Comments
CVE-2017-5638 is a remote code execution vulnerability in Apache Struts Jakarta Multipart versions that allows for malicious file upload using Content-Type, Content-Disposition, or Content-Length HTTP headers during file-upload attempts leading to an attacker to execute arbitrary commands. This CVE was known to be exploited during the Equifax breach.
References
  1. https://securityaffairs.com/63043/hacking/equifax-data-breach.html
  2. https://www.synopsys.com/blogs/software-security/equifax-apache-struts-vulnerability-cve-2017-5638.html