Apache Struts 2 Jakarta Multipart Parser file upload command execution

Added: 03/16/2017
CVE: CVE-2017-5638
BID: 96729

Background

Apache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture.

Problem

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 improperly handles file upload. Remote attackers can execute arbitrary commands via a "#cmd=" string in a specially crafted Content-Type HTTP header.

Resolution

Upgrade Struts 2.3.x series to Struts 2.3.32 or later, and Struts 2.5.x series to Struts 2.5.10.1 or later.

References

https://cwiki.apache.org/confluence/display/WW/S2-045
https://www.exploit-db.com/exploits/41570/

Limitations

Exploit works on vulnerable versions of Apache Struts 2.3.5 through 2.3.31 and 2.5 through 2.5.10.
Back to exploit index