VOOZH about

URL: https://nvd.nist.gov/vuln/detail/CVE-2017-5638

⇱ NVD - CVE-2017-5638

  1. Vulnerabilities

CVE-2017-5638 Detail

Description

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.


Metrics

 
NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.
CVSS 4.0 Severity and Vector Strings:

NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

URL Source(s) Tag(s)
http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html Apache Software Foundation, CVE Exploit  Third Party Advisory 
http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution/ Apache Software Foundation, CVE Exploit  Third Party Advisory 
http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-002.txt Apache Software Foundation, CVE Third Party Advisory 
http://www.eweek.com/security/apache-struts-vulnerability-under-attack.html Apache Software Foundation, CVE Press/Media Coverage  Third Party Advisory 
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html Apache Software Foundation, CVE Patch  Third Party Advisory 
http://www.securityfocus.com/bid/96729 Apache Software Foundation, CVE Broken Link  Third Party Advisory  VDB Entry 
http://www.securitytracker.com/id/1037973 Apache Software Foundation, CVE Broken Link  Third Party Advisory  VDB Entry 
https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites/ Apache Software Foundation, CVE Exploit  Press/Media Coverage 
https://cwiki.apache.org/confluence/display/WW/S2-045 Apache Software Foundation, CVE Mitigation  Vendor Advisory 
https://cwiki.apache.org/confluence/display/WW/S2-046 Apache Software Foundation, CVE Mitigation  Vendor Advisory 
https://exploit-db.com/exploits/41570 Apache Software Foundation, CVE Exploit  Third Party Advisory  VDB Entry 
https://git1-us-west.apache.org/repos/asf?p=struts.git%3Ba=commit%3Bh=352306493971e7d5a756d61780d57a76eb1f519a Apache Software Foundation, CVE Broken Link 
https://git1-us-west.apache.org/repos/asf?p=struts.git%3Ba=commit%3Bh=6b8272ce47160036ed120a48345d9aa884477228 Apache Software Foundation, CVE Broken Link 
https://github.com/mazen160/struts-pwn Apache Software Foundation, CVE Exploit 
https://github.com/rapid7/metasploit-framework/issues/8064 Apache Software Foundation, CVE Exploit  Issue Tracking 
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03733en_us Apache Software Foundation, CVE Broken Link 
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03749en_us Apache Software Foundation, CVE Third Party Advisory 
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03723en_us Apache Software Foundation, CVE Third Party Advisory 
https://isc.sans.edu/diary/22169 Apache Software Foundation, CVE Exploit  Third Party Advisory 
https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E Apache Software Foundation, CVE Mailing List 
https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E Apache Software Foundation, CVE Mailing List 
https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E Apache Software Foundation, CVE Mailing List 
https://nmap.org/nsedoc/scripts/http-vuln-cve2017-5638.html Apache Software Foundation, CVE Exploit  Third Party Advisory 
https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt Apache Software Foundation, CVE Broken Link  Exploit  Third Party Advisory  VDB Entry 
https://security.netapp.com/advisory/ntap-20170310-0001/ Apache Software Foundation, CVE Third Party Advisory 
https://struts.apache.org/docs/s2-045.html Apache Software Foundation, CVE Mitigation  Vendor Advisory 
https://struts.apache.org/docs/s2-046.html Apache Software Foundation, CVE Mitigation  Vendor Advisory 
https://support.lenovo.com/us/en/product_security/len-14200 Apache Software Foundation, CVE Third Party Advisory 
https://twitter.com/theog150/status/841146956135124993 Apache Software Foundation, CVE Broken Link  Third Party Advisory 
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-5638 CISA-ADP US Government Resource 
https://www.exploit-db.com/exploits/41614/ Apache Software Foundation, CVE Exploit  Third Party Advisory  VDB Entry 
https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/ Apache Software Foundation, CVE Third Party Advisory 
https://www.kb.cert.org/vuls/id/834067 Apache Software Foundation, CVE Third Party Advisory  US Government Resource 
https://www.symantec.com/security-center/network-protection-security-advisories/SA145 Apache Software Foundation, CVE Broken Link 

This CVE is in CISA's Known Exploited Vulnerabilities Catalog

Reference CISA's BOD 22-01 and Known Exploited Vulnerabilities Catalog for further guidance and requirements.

Vulnerability Name Date Added Due Date Required Action
Apache Struts Remote Code Execution Vulnerability 11/03/2021 05/03/2022 Apply updates per vendor instructions.

Weakness Enumeration

CWE-ID CWE Name Source
CWE-755 Improper Handling of Exceptional Conditions πŸ‘ cwe source acceptance level
NIST   CISA-ADP  

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

33 change records found show changes

CVE Modified by CISA-ADP 6/16/2026 9:20:54 PM

Action Type Old Value New Value
Added SSVC 
{"timestamp":"2025-02-06T21:06:33.860690Z","id":"CVE-2017-5638","options":[{"exploitation":"active"},{"automatable":"yes"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}

CVE Modified by Apache Software Foundation 6/16/2026 9:20:54 PM

Action Type Old Value New Value
Added Affected 
[{"vendor":"Apache Software Foundation","product":"Apache Struts","versions":[{"version":"2.3.x before 2.3.32","status":"affected"},{"version":"2.5.x before 2.5.10.1","status":"affected"}]}]

Modified Analysis by NIST 4/21/2026 1:04:11 PM

Action Type Old Value New Value
Changed Reference Type 
Apache Software Foundation: https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt Types: Exploit, Third Party Advisory, VDB Entry


 
Apache Software Foundation: https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt Types: Broken Link, Exploit, Third Party Advisory, VDB Entry
Changed Reference Type 
CVE: https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt Types: Exploit, Third Party Advisory, VDB Entry


 
CVE: https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt Types: Broken Link, Exploit, Third Party Advisory, VDB Entry
Added Reference Type 
CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-5638 Types: US Government Resource

CVE Modified by CISA-ADP 10/21/2025 8:16:06 PM

Action Type Old Value New Value
Added Reference 
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-5638

CVE Modified by CISA-ADP 10/21/2025 4:16:54 PM

Action Type Old Value New Value
Removed Reference 
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-5638

CVE Modified by CISA-ADP 10/21/2025 3:17:08 PM

Action Type Old Value New Value
Added Reference 
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-5638

Modified Analysis by NIST 3/21/2025 5:08:49 PM

Action Type Old Value New Value

CVE Modified by CISA-ADP 2/06/2025 5:15:32 PM

Action Type Old Value New Value
Added CVSS V3.1 
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Added CWE 
CWE-755

Modified Analysis by NIST 1/23/2025 10:28:58 AM

Action Type Old Value New Value

CVE Modified by CVE 11/20/2024 10:28:04 PM

Action Type Old Value New Value
Added Reference 
http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html
Added Reference 
http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution/
Added Reference 
http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-002.txt
Added Reference 
http://www.eweek.com/security/apache-struts-vulnerability-under-attack.html
Added Reference 
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Added Reference 
http://www.securityfocus.com/bid/96729
Added Reference 
http://www.securitytracker.com/id/1037973
Added Reference 
https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites/
Added Reference 
https://cwiki.apache.org/confluence/display/WW/S2-045
Added Reference 
https://cwiki.apache.org/confluence/display/WW/S2-046
Added Reference 
https://exploit-db.com/exploits/41570
Added Reference 
https://git1-us-west.apache.org/repos/asf?p=struts.git%3Ba=commit%3Bh=352306493971e7d5a756d61780d57a76eb1f519a
Added Reference 
https://git1-us-west.apache.org/repos/asf?p=struts.git%3Ba=commit%3Bh=6b8272ce47160036ed120a48345d9aa884477228
Added Reference 
https://github.com/mazen160/struts-pwn
Added Reference 
https://github.com/rapid7/metasploit-framework/issues/8064
Added Reference 
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03733en_us
Added Reference 
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03749en_us
Added Reference 
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03723en_us
Added Reference 
https://isc.sans.edu/diary/22169
Added Reference 
https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E
Added Reference 
https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E
Added Reference 
https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E
Added Reference 
https://nmap.org/nsedoc/scripts/http-vuln-cve2017-5638.html
Added Reference 
https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt
Added Reference 
https://security.netapp.com/advisory/ntap-20170310-0001/
Added Reference 
https://struts.apache.org/docs/s2-045.html
Added Reference 
https://struts.apache.org/docs/s2-046.html
Added Reference 
https://support.lenovo.com/us/en/product_security/len-14200
Added Reference 
https://twitter.com/theog150/status/841146956135124993
Added Reference 
https://www.exploit-db.com/exploits/41614/
Added Reference 
https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/
Added Reference 
https://www.kb.cert.org/vuls/id/834067
Added Reference 
https://www.symantec.com/security-center/network-protection-security-advisories/SA145

Modified Analysis by NIST 7/25/2024 9:58:42 AM

Action Type Old Value New Value
Added CVSS V3.1 
NIST AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Removed CVSS V3 
NIST AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Added CWE 
NIST CWE-755
Removed CWE 
NIST CWE-20
Changed CPE Configuration 
OR
 *cpe:2.3:a:apache:struts:2.5:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.5.1:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.5.2:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.5.3:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.5.4:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.5.5:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.5.6:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.5.7:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.5.8:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.5.9:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.5.10:*:*:*:*:*:*:*


 
AND
 OR
 *cpe:2.3:o:ibm:storwize_v3500_firmware:7.7.1.6:*:*:*:*:*:*:*
 *cpe:2.3:o:ibm:storwize_v3500_firmware:7.8.1.0:*:*:*:*:*:*:*
 OR
 cpe:2.3:h:ibm:storwize_v3500:-:*:*:*:*:*:*:*
Changed CPE Configuration Record truncated, showing 2048 of 2171 characters.
View Entire Change Record
OR
 *cpe:2.3:a:apache:struts:2.3.5:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.6:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.9:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.10:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.11:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.13:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.17:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.19:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.20.2:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.20.3:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.21:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.22:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.23:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.24:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.24.1:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.24.2:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.24.3:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.25:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.26:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.27:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.28:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.28.1:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts
 
OR
 *cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:* versions from (including) 2.2.3 up to (excluding) 2.3.32
 *cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:* versions from (including) 2.5.0 up to (excluding) 2.5.10.1
Added CPE Configuration 
AND
 OR
 *cpe:2.3:o:ibm:storwize_v5000_firmware:7.7.1.6:*:*:*:*:*:*:*
 *cpe:2.3:o:ibm:storwize_v5000_firmware:7.8.1.0:*:*:*:*:*:*:*
 OR
 cpe:2.3:h:ibm:storwize_v5000:-:*:*:*:*:*:*:*
Added CPE Configuration 
AND
 OR
 *cpe:2.3:o:ibm:storwize_v7000_firmware:7.7.1.6:*:*:*:*:*:*:*
 *cpe:2.3:o:ibm:storwize_v7000_firmware:7.8.1.0:*:*:*:*:*:*:*
 OR
 cpe:2.3:h:ibm:storwize_v7000:-:*:*:*:*:*:*:*
Added CPE Configuration 
AND
 OR
 *cpe:2.3:o:lenovo:storage_v5030_firmware:7.7.1.6:*:*:*:*:*:*:*
 *cpe:2.3:o:lenovo:storage_v5030_firmware:7.8.1.0:*:*:*:*:*:*:*
 OR
 cpe:2.3:h:lenovo:storage_v5030:-:*:*:*:*:*:*:*
Added CPE Configuration 
OR
 *cpe:2.3:a:arubanetworks:clearpass_policy_manager:*:*:*:*:*:*:*:* versions up to (excluding) 6.6.5
Added CPE Configuration 
OR
 *cpe:2.3:a:hp:server_automation:9.1.0:*:*:*:*:*:*:*
 *cpe:2.3:a:hp:server_automation:10.0.0:*:*:*:*:*:*:*
 *cpe:2.3:a:hp:server_automation:10.1.0:*:*:*:*:*:*:*
 *cpe:2.3:a:hp:server_automation:10.2.0:*:*:*:*:*:*:*
 *cpe:2.3:a:hp:server_automation:10.5.0:*:*:*:*:*:*:*
Added CPE Configuration 
OR
 *cpe:2.3:a:netapp:oncommand_balance:-:*:*:*:*:*:*:*
Added CPE Configuration 
OR
 *cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*
 *cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
 *cpe:2.3:a:oracle:weblogic_server:12.2.1.1.0:*:*:*:*:*:*:*
 *cpe:2.3:a:oracle:weblogic_server:12.2.1.2.0:*:*:*:*:*:*:*
Changed Reference Type 
http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html Technical Description, Third Party Advisory


 
http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html Exploit, Third Party Advisory
Changed Reference Type 
http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution/ Technical Description, Third Party Advisory


 
http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution/ Exploit, Third Party Advisory
Changed Reference Type 
http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-002.txt No Types Assigned


 
http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-002.txt Third Party Advisory
Changed Reference Type 
http://www.eweek.com/security/apache-struts-vulnerability-under-attack.html Press/Media Coverage


 
http://www.eweek.com/security/apache-struts-vulnerability-under-attack.html Press/Media Coverage, Third Party Advisory
Changed Reference Type 
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html No Types Assigned


 
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html Patch, Third Party Advisory
Changed Reference Type 
http://www.securityfocus.com/bid/96729 Third Party Advisory, VDB Entry


 
http://www.securityfocus.com/bid/96729 Broken Link, Third Party Advisory, VDB Entry
Changed Reference Type 
http://www.securitytracker.com/id/1037973 No Types Assigned


 
http://www.securitytracker.com/id/1037973 Broken Link, Third Party Advisory, VDB Entry
Changed Reference Type 
https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites/ Press/Media Coverage


 
https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites/ Exploit, Press/Media Coverage
Changed Reference Type 
https://cwiki.apache.org/confluence/display/WW/S2-046 No Types Assigned


 
https://cwiki.apache.org/confluence/display/WW/S2-046 Mitigation, Vendor Advisory
Changed Reference Type 
https://exploit-db.com/exploits/41570 Exploit, VDB Entry


 
https://exploit-db.com/exploits/41570 Exploit, Third Party Advisory, VDB Entry
Changed Reference Type 
https://git1-us-west.apache.org/repos/asf?p=struts.git%3Ba=commit%3Bh=352306493971e7d5a756d61780d57a76eb1f519a No Types Assigned


 
https://git1-us-west.apache.org/repos/asf?p=struts.git%3Ba=commit%3Bh=352306493971e7d5a756d61780d57a76eb1f519a Broken Link
Changed Reference Type 
https://git1-us-west.apache.org/repos/asf?p=struts.git%3Ba=commit%3Bh=6b8272ce47160036ed120a48345d9aa884477228 No Types Assigned


 
https://git1-us-west.apache.org/repos/asf?p=struts.git%3Ba=commit%3Bh=6b8272ce47160036ed120a48345d9aa884477228 Broken Link
Changed Reference Type 
https://github.com/rapid7/metasploit-framework/issues/8064 Exploit


 
https://github.com/rapid7/metasploit-framework/issues/8064 Exploit, Issue Tracking
Changed Reference Type 
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03733en_us No Types Assigned


 
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03733en_us Broken Link
Changed Reference Type 
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03749en_us No Types Assigned


 
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03749en_us Third Party Advisory
Changed Reference Type 
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03723en_us No Types Assigned


 
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03723en_us Third Party Advisory
Changed Reference Type 
https://isc.sans.edu/diary/22169 Technical Description, Third Party Advisory


 
https://isc.sans.edu/diary/22169 Exploit, Third Party Advisory
Changed Reference Type 
https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E No Types Assigned


 
https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E Mailing List
Changed Reference Type 
https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E No Types Assigned


 
https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E Mailing List
Changed Reference Type 
https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E No Types Assigned


 
https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E Mailing List
Changed Reference Type 
https://nmap.org/nsedoc/scripts/http-vuln-cve2017-5638.html Third Party Advisory


 
https://nmap.org/nsedoc/scripts/http-vuln-cve2017-5638.html Exploit, Third Party Advisory
Changed Reference Type 
https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt Exploit, VDB Entry


 
https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt Exploit, Third Party Advisory, VDB Entry
Changed Reference Type 
https://security.netapp.com/advisory/ntap-20170310-0001/ No Types Assigned


 
https://security.netapp.com/advisory/ntap-20170310-0001/ Third Party Advisory
Changed Reference Type 
https://struts.apache.org/docs/s2-045.html No Types Assigned


 
https://struts.apache.org/docs/s2-045.html Mitigation, Vendor Advisory
Changed Reference Type 
https://struts.apache.org/docs/s2-046.html No Types Assigned


 
https://struts.apache.org/docs/s2-046.html Mitigation, Vendor Advisory
Changed Reference Type 
https://support.lenovo.com/us/en/product_security/len-14200 No Types Assigned


 
https://support.lenovo.com/us/en/product_security/len-14200 Third Party Advisory
Changed Reference Type 
https://twitter.com/theog150/status/841146956135124993 Third Party Advisory


 
https://twitter.com/theog150/status/841146956135124993 Broken Link, Third Party Advisory
Changed Reference Type 
https://www.exploit-db.com/exploits/41614/ No Types Assigned


 
https://www.exploit-db.com/exploits/41614/ Exploit, Third Party Advisory, VDB Entry
Changed Reference Type 
https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/ No Types Assigned


 
https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/ Third Party Advisory
Changed Reference Type 
https://www.kb.cert.org/vuls/id/834067 No Types Assigned


 
https://www.kb.cert.org/vuls/id/834067 Third Party Advisory, US Government Resource
Changed Reference Type 
https://www.symantec.com/security-center/network-protection-security-advisories/SA145 No Types Assigned


 
https://www.symantec.com/security-center/network-protection-security-advisories/SA145 Broken Link

CVE Modified by Apache Software Foundation 5/14/2024 12:41:35 AM

Action Type Old Value New Value

CVE Modified by Apache Software Foundation 11/06/2023 9:49:27 PM

Action Type Old Value New Value
Added Reference 
Apache Software Foundation https://git1-us-west.apache.org/repos/asf?p=struts.git%3Ba=commit%3Bh=352306493971e7d5a756d61780d57a76eb1f519a [No types assigned]
Added Reference 
Apache Software Foundation https://git1-us-west.apache.org/repos/asf?p=struts.git%3Ba=commit%3Bh=6b8272ce47160036ed120a48345d9aa884477228 [No types assigned]
Added Reference 
Apache Software Foundation https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E [No types assigned]
Added Reference 
Apache Software Foundation https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E [No types assigned]
Added Reference 
Apache Software Foundation https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E [No types assigned]
Removed Reference 
Apache Software Foundation https://git1-us-west.apache.org/repos/asf?p=struts.git;a=commit;h=352306493971e7d5a756d61780d57a76eb1f519a
Removed Reference 
Apache Software Foundation https://git1-us-west.apache.org/repos/asf?p=struts.git;a=commit;h=6b8272ce47160036ed120a48345d9aa884477228
Removed Reference 
Apache Software Foundation https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7@%3Cannounce.apache.org%3E
Removed Reference 
Apache Software Foundation https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E
Removed Reference 
Apache Software Foundation https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922@%3Cannounce.apache.org%3E

CVE Modified by Apache Software Foundation 2/24/2021 7:15:18 AM

Action Type Old Value New Value
Added Reference 
https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7@%3Cannounce.apache.org%3E [No Types Assigned]

CVE Modified by Apache Software Foundation 1/26/2021 1:15:24 PM

Action Type Old Value New Value
Added Reference 
https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922@%3Cannounce.apache.org%3E [No Types Assigned]

CVE Modified by Apache Software Foundation 1/31/2020 4:15:09 AM

Action Type Old Value New Value
Added Reference 
https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E [No Types Assigned]

CVE Modified by Apache Software Foundation 3/03/2018 9:29:02 PM

Action Type Old Value New Value
Added Reference 
http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-002.txt [No Types Assigned]

CVE Modified by Apache Software Foundation 11/09/2017 9:29:20 PM

Action Type Old Value New Value
Added Reference 
https://security.netapp.com/advisory/ntap-20170310-0001/ [No Types Assigned]

CVE Modified by Apache Software Foundation 10/09/2017 9:30:22 PM

Action Type Old Value New Value
Added Reference 
https://www.kb.cert.org/vuls/id/834067 [No Types Assigned]

CVE Modified by Apache Software Foundation 9/22/2017 9:29:03 PM

Action Type Old Value New Value
Changed Description 
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 mishandles file upload, which allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header, as exploited in the wild in March 2017.


 
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.
Added Reference 
https://cwiki.apache.org/confluence/display/WW/S2-046 [No Types Assigned]
Added Reference 
https://struts.apache.org/docs/s2-045.html [No Types Assigned]
Added Reference 
https://struts.apache.org/docs/s2-046.html [No Types Assigned]

CVE Modified by Apache Software Foundation 9/21/2017 9:29:25 PM

Action Type Old Value New Value
Added Reference 
https://www.symantec.com/security-center/network-protection-security-advisories/SA145 [No Types Assigned]

CVE Modified by Apache Software Foundation 8/15/2017 9:29:18 PM

Action Type Old Value New Value
Added Reference 
https://www.exploit-db.com/exploits/41614/ [No Types Assigned]

CVE Modified by Apache Software Foundation 8/08/2017 9:29:07 PM

Action Type Old Value New Value
Added Reference 
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html [No Types Assigned]

CVE Modified by Apache Software Foundation 7/17/2017 9:18:28 AM

Action Type Old Value New Value
Added Reference 
http://www.securitytracker.com/id/1037973 [No Types Assigned]

CVE Modified by Apache Software Foundation 5/26/2017 9:29:02 PM

Action Type Old Value New Value
Added Reference 
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03749en_us [No Types Assigned]

CVE Modified by Apache Software Foundation 5/09/2017 9:29:03 PM

Action Type Old Value New Value
Added Reference 
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03733en_us [No Types Assigned]
Added Reference 
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03723en_us [No Types Assigned]

CVE Modified by Apache Software Foundation 3/29/2017 9:59:01 PM

Action Type Old Value New Value
Added Reference 
https://support.lenovo.com/us/en/product_security/len-14200 [No Types Assigned]
Added Reference 
https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/ [No Types Assigned]

Reanalysis by NIST 3/27/2017 9:34:59 AM

Action Type Old Value New Value
Changed CVSS V3 
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H


 
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Reanalysis by NIST 3/15/2017 9:13:18 AM

Action Type Old Value New Value
Changed CPE Configuration Record truncated, showing 2048 of 2222 characters.
View Entire Change Record
OR
 *cpe:2.3:a:apache:struts:2.3.10:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.11:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.13:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.17:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.19:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.20.2:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.20.3:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.21:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.22:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.23:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.24:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.24.1:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.24.2:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.24.3:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.25:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.26:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.27:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.28:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.28.1:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.29:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.30:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.31:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.32:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.5:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:st
 Record truncated, showing 2048 of 2171 characters.
View Entire Change Record
OR
 *cpe:2.3:a:apache:struts:2.3.10:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.11:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.13:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.17:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.19:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.20.2:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.20.3:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.21:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.22:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.23:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.24:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.24.1:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.24.2:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.24.3:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.25:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.26:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.27:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.28:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.28.1:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.29:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.30:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.31:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.5:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.6:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:str

Reanalysis by NIST 3/14/2017 10:23:04 AM

Action Type Old Value New Value
Changed Reference Type 
http://www.eweek.com/security/apache-struts-vulnerability-under-attack.html No Types Assigned


 
http://www.eweek.com/security/apache-struts-vulnerability-under-attack.html Press/Media Coverage
Changed Reference Type 
http://www.securityfocus.com/bid/96729 No Types Assigned


 
http://www.securityfocus.com/bid/96729 Third Party Advisory, VDB Entry
Changed Reference Type 
https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites/ No Types Assigned


 
https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites/ Press/Media Coverage
Changed Reference Type 
https://twitter.com/theog150/status/841146956135124993 No Types Assigned


 
https://twitter.com/theog150/status/841146956135124993 Third Party Advisory

Initial Analysis by NIST 3/14/2017 9:45:34 AM

Action Type Old Value New Value
Added CVSS V3 
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Added CVSS V2 
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Added CWE 
CWE-20
Added CPE Configuration Record truncated, showing 2048 of 2222 characters.
View Entire Change Record
OR
 *cpe:2.3:a:apache:struts:2.3.10:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.11:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.13:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.17:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.19:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.20.2:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.20.3:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.21:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.22:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.23:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.24:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.24.1:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.24.2:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.24.3:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.25:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.26:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.27:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.28:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.28.1:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.29:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.30:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.31:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.32:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.3.5:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:st
Added CPE Configuration 
OR
 *cpe:2.3:a:apache:struts:2.5:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.5.1:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.5.10:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.5.2:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.5.3:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.5.4:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.5.5:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.5.6:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.5.7:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.5.8:*:*:*:*:*:*:*
 *cpe:2.3:a:apache:struts:2.5.9:*:*:*:*:*:*:*
Changed Reference Type 
http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html No Types Assigned


 
http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html Technical Description, Third Party Advisory
Changed Reference Type 
http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution/ No Types Assigned


 
http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution/ Technical Description, Third Party Advisory
Changed Reference Type 
https://cwiki.apache.org/confluence/display/WW/S2-045 No Types Assigned


 
https://cwiki.apache.org/confluence/display/WW/S2-045 Mitigation, Vendor Advisory
Changed Reference Type 
https://exploit-db.com/exploits/41570 No Types Assigned


 
https://exploit-db.com/exploits/41570 Exploit, VDB Entry
Changed Reference Type 
https://git1-us-west.apache.org/repos/asf?p=struts.git;a=commit;h=352306493971e7d5a756d61780d57a76eb1f519a No Types Assigned


 
https://git1-us-west.apache.org/repos/asf?p=struts.git;a=commit;h=352306493971e7d5a756d61780d57a76eb1f519a Patch
Changed Reference Type 
https://git1-us-west.apache.org/repos/asf?p=struts.git;a=commit;h=6b8272ce47160036ed120a48345d9aa884477228 No Types Assigned


 
https://git1-us-west.apache.org/repos/asf?p=struts.git;a=commit;h=6b8272ce47160036ed120a48345d9aa884477228 Patch
Changed Reference Type 
https://github.com/mazen160/struts-pwn No Types Assigned


 
https://github.com/mazen160/struts-pwn Exploit
Changed Reference Type 
https://github.com/rapid7/metasploit-framework/issues/8064 No Types Assigned


 
https://github.com/rapid7/metasploit-framework/issues/8064 Exploit
Changed Reference Type 
https://isc.sans.edu/diary/22169 No Types Assigned


 
https://isc.sans.edu/diary/22169 Technical Description, Third Party Advisory
Changed Reference Type 
https://nmap.org/nsedoc/scripts/http-vuln-cve2017-5638.html No Types Assigned


 
https://nmap.org/nsedoc/scripts/http-vuln-cve2017-5638.html Third Party Advisory
Changed Reference Type 
https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt No Types Assigned


 
https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt Exploit, VDB Entry

CVE Modified by Apache Software Foundation 3/13/2017 9:59:03 PM

Action Type Old Value New Value
Added Reference 
http://www.eweek.com/security/apache-struts-vulnerability-under-attack.html [No Types Assigned]
Added Reference 
http://www.securityfocus.com/bid/96729 [No Types Assigned]
Added Reference 
https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites/ [No Types Assigned]
Added Reference 
https://twitter.com/theog150/status/841146956135124993 [No Types Assigned]

CVE Modified by Apache Software Foundation 3/12/2017 9:59:00 PM

Action Type Old Value New Value
Added Reference 
https://exploit-db.com/exploits/41570 [No Types Assigned]
Added Reference 
https://github.com/mazen160/struts-pwn [No Types Assigned]
Added Reference 
https://nmap.org/nsedoc/scripts/http-vuln-cve2017-5638.html [No Types Assigned]
Added Reference 
https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt [No Types Assigned]

Quick Info

CVE Dictionary Entry:
CVE-2017-5638
NVD Published Date:
03/10/2017
NVD Last Modified:
06/16/2026
Source:
Apache Software Foundation