The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HApache Struts
APPApache2.2.3 – 2.3.32 (bez)2.5.0 – 2.5.10.1 (bez)Arubanetworks Clearpass Policy Manager
APPArubanetworks< 6.6.5HP Server Automation
APPHp10.0.010.1.010.2.010.5.09.1.0IBM Storwize V3500
HWIbmwszystkie wersjeIBM Storwize V3500 Firmware
OSIbm7.7.1.67.8.1.0IBM Storwize V5000
HWIbmwszystkie wersjeIBM Storwize V5000 Firmware
OSIbm7.7.1.67.8.1.0IBM Storwize V7000
HWIbmwszystkie wersjeIBM Storwize V7000 Firmware
OSIbm7.7.1.67.8.1.0Lenovo Storage V5030
HWLenovowszystkie wersjeLenovo Storage V5030 Firmware
OSLenovo7.7.1.67.8.1.0Netapp Oncommand Balance
APPNetappwszystkie wersjeOracle Weblogic Server
APPOracle10.3.6.0.012.1.3.0.012.2.1.1.012.2.1.2.0
CISA KEV — detailsi
- Vendori
- Apache ↗
- Producti
- Struts
- Added to KEVi
- November 3, 2021
- Remediation deadline (US Federal)i
- May 3, 2022(overdue)
- Ransomwarei
- Active ransomware campaigns exploit this vulnerability
Apply updates per vendor instructions.
Apache Struts Jakarta Multipart parser allows for malicious file upload using the Content-Type value, leading to remote code execution.
Related vulnerabilities
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) ...
Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution....
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supporte...
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supporte...
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported v...