By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2017-5638

Command Injection
Affects
Apache Struts 2
>= 2.3.5 - <2.3.31, >=2.5 - <2.5.10
in
Struts
No items found.
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview

Apache Struts is a popular open-source web application framework for developing Java EE web applications. It provides robust support for creating modern Java-based enterprise applications. 

Command Injection vulnerability (CVE-2017-5638) has been identified in Apache Struts, which allows an attacker to execute arbitrary commands through specially crafted HTTP headers, particularly exploiting a flaw in the file upload handling mechanism.

Per OWASP: Command Injection vulnerability is an attack where an attacker aims to execute arbitrary commands on the host operating system through a vulnerable application. These attacks occur when an application improperly passes untrusted user input (in this case HTTP headers) to a system shell. In such an attack, the commands provided by the attacker are typically executed with the same privileges as the vulnerable application. 

This issue affects multiple versions, at 2.3.x before 2.3.32, at 2.5.x before 2.5.10.1

Details

Module Info

  • Product: Apache Struts 2
  • Affected packages: struts-core
  • Affected versions: >= 2.3.5 - <2.3.31, >=2.5 - <2.5.10
  • GitHub repository: https://github.com/apache/struts
  • Package manager: Maven
  • Fixed in: Struts 2.3.32, Struts 2.5.10.1

Vulnerability Info

The vulnerability occurred because some versions Apache Struts were not correctly sanitizing user-controlled input in certain HTTP request headers. Exceptions and error messages were not handled securely during the processing of the file uploads. This vulnerability arose from a flaw in the Jakarta Multipart parser used in Apache Struts to handle file upload requests.  

Credit

Mitigation

Users of the affected components should apply one of the following mitigations:

  • Users of affected versions should upgrade to one of the patched versions: Struts 2.3.32, Struts 2.5.10.1
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.
Pink arrow
Pink arrow
CVE-2014-0094
CVE-2016-3081
CVE-2017-5638
CVE-2018-11776
CVE-2012-1007
CVE-2015-0899
CVE-2024-53677
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2017-5638
PROJECT Affected
Apache Struts 2
Versions Affected
>= 2.3.5 - <2.3.31, >=2.5 - <2.5.10
Published date
March 16, 2017
≈ Fix date
March 16, 2017
Fixed in
NES for Apache Struts
Severity
Critical
Category
Command Injection
Sign up for the latest vulnerability alerts fixed in
NES for Apache Struts
Rss feed icon
Subscribe via RSS
or
Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.