CVE-2017-5638
Confirmed PUBLISHEDThe Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message...
Recommended Action
Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.
At a Glance
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.
- CVE Published
- Mar 11, 2017
- Exploitation Reported
- Nov 03, 2021
- CVSS
- 9.8 Critical
- EPSS
- 100.0%
Affected Versions
| Vendor | Product | Version | Status |
|---|---|---|---|
| Apache Software Foundation |
Apache Struts
|
2.3.x before 2.3.32 |
Affected |
| Apache Software Foundation |
Apache Struts
|
2.5.x before 2.5.10.1 |
Affected |
CVE References
- VU#834067 kb.cert.org · Third-Party Advisory https://www.kb.cert.org/vuls/id/834067
- 41570 exploit-db.com · Exploit https://exploit-db.com/exploits/41570
- 41614 exploit-db.com · Exploit https://www.exploit-db.com/exploits/41614/
- 1037973 securitytracker.com · VDB Entry http://www.securitytracker.com/id/1037973
- 96729 securityfocus.com · VDB Entry http://www.securityfocus.com/bid/96729
Show 28 more references
- [announce] 20200131 Apache Software Foundation Security Report: 2019 lists.apache.org · Mailing List https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e...
- [announce] 20210125 Apache Software Foundation Security Report: 2020 lists.apache.org · Mailing List https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942...
- [announce] 20210223 Re: Apache Software Foundation Security Report: 2020 lists.apache.org · Mailing List https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b5...
- nmap.org/nsedoc/scripts/http-vuln-cve2017-5638.html nmap.org · CVE Record https://nmap.org/nsedoc/scripts/http-vuln-cve2017-5638.html
- arubanetworks.com/assets/alert/ARUBA-PSA-2017-002.txt arubanetworks.com · CVE Record http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-002.txt
- arstechnica.com/security/2017/03/critical-vulnerability-unde... arstechnica.com · CVE Record https://arstechnica.com/security/2017/03/critical-vulnerability-under...
- security.netapp.com/advisory/ntap-20170310-0001 security.netapp.com · CVE Record https://security.netapp.com/advisory/ntap-20170310-0001/
- GitHub — rapid7/metasploit-framework github.com · CVE Record https://github.com/rapid7/metasploit-framework/issues/8064
- struts.apache.org/docs/s2-046.html struts.apache.org · CVE Record https://struts.apache.org/docs/s2-046.html
- blog.talosintelligence.com/2017/03/apache-0-day-exploited.html blog.talosintelligence.com · CVE Record http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html
- imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-e... imperva.com · CVE Record https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-ex...
- h20566.www2.hpe.com/hpsc/doc/public/display h20566.www2.hpe.com · CVE Record https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&d...
- isc.sans.edu/diary/22169 isc.sans.edu · CVE Record https://isc.sans.edu/diary/22169
- struts.apache.org/docs/s2-045.html struts.apache.org · CVE Record https://struts.apache.org/docs/s2-045.html
- eweek.com/security/apache-struts-vulnerability-under-a... eweek.com · CVE Record http://www.eweek.com/security/apache-struts-vulnerability-under-attac...
- twitter.com/theog150/status/841146956135124993 twitter.com · CVE Record https://twitter.com/theog150/status/841146956135124993
- GitHub — mazen160/struts-pwn github.com · CVE Record https://github.com/mazen160/struts-pwn
- packetstormsecurity.com/files/141494/S2-45-poc.py.txt packetstormsecurity.com · CVE Record https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt
- symantec.com/security-center/network-protection-security-... symantec.com · CVE Record https://www.symantec.com/security-center/network-protection-security-...
- support.lenovo.com/us/en/product_security/len-14200 support.lenovo.com · CVE Record https://support.lenovo.com/us/en/product_security/len-14200
- git1-us-west.apache.org/repos/asf git1-us-west.apache.org · CVE Record https://git1-us-west.apache.org/repos/asf?p=struts.git%3Ba=commit%3Bh...
- h20566.www2.hpe.com/hpsc/doc/public/display h20566.www2.hpe.com · CVE Record https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&d...
- git1-us-west.apache.org/repos/asf git1-us-west.apache.org · CVE Record https://git1-us-west.apache.org/repos/asf?p=struts.git%3Ba=commit%3Bh...
- cwiki.apache.org/confluence/display/WW/S2-045 cwiki.apache.org · CVE Record https://cwiki.apache.org/confluence/display/WW/S2-045
- cwiki.apache.org/confluence/display/WW/S2-046 cwiki.apache.org · CVE Record https://cwiki.apache.org/confluence/display/WW/S2-046
- oracle.com/technetwork/security-advisory/cpujul2017-323... oracle.com · CVE Record http://www.oracle.com/technetwork/security-advisory/cpujul2017-323662...
- h20566.www2.hpe.com/hpsc/doc/public/display h20566.www2.hpe.com · CVE Record https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&d...
- blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-563... blog.trendmicro.com · CVE Record http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5...
Recommended Actions
- Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.
- Check enrichment artifacts for scanner coverage and available PoCs before rolling remediation validation.
- Use the Pro API to automate enrichment, telemetry, and workflow delivery for VM, SOC, and CTI pipelines.
Known Exploited Vulnerability Sources
Catalogues that list this CVE as a known exploited vulnerability.
Per-source evidence links for KEV attestations are available through the KEVIntel Pro API.
Learn about Pro API access| Source | Added |
|---|---|
| CISA First | 2021-11-03 00:00 UTC |
| The Shadowserver | 2026-07-08 00:00 UTC |
Scanner Artifacts
Nuclei and Metasploit references linked to this CVE.
| Scanner | Reference | Detected |
|---|---|---|
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2017/CVE-2017-5638.yaml | Apr 25, 2025 |
| Metasploit | https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts2_content_type_ognl.rb | Apr 28, 2025 |
Virtual Patch
Compensating WAF rules to help reduce exposure to this CVE. Rule content and deployable vendor exports are available with KEVIntel Enterprise.
KEVIntel does not currently have a virtual patch for this CVE. When available, KEVIntel virtual patches ship as deployable ModSecurity, Cloudflare, and AWS WAF rules.
Enterprise feature. Virtual patch rule content and deployable vendor exports (ModSecurity, Cloudflare, AWS WAF) are available to KEVIntel Enterprise users.
CVSS Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AV:N/AC:L/Au:N/C:C/I:C/A:C
Exploitation Status
Exploited in the wild
Recorded 2021-11-03 00:00:00 UTC · CISA
Used in malware
Recorded 2021-11-03 00:00:00 UTC · CISA
Proof of concept available
Recorded 2017-03-10 21:33:25 UTC · GitHub
Weaknesses (CWE)
-
Improper Handling of Exceptional Conditions
Scanner Integrations
| Scanner | Reference | Detected |
|---|---|---|
| Metasploit | https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts2_content_type_ognl.rb | Apr 28, 2025 |
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2017/CVE-2017-5638.yaml | Apr 25, 2025 |
Potential Proof of Concepts
These PoCs are unverified and could contain malware. Use at your own risk.
github · Created 2024-12-08 17:22:38 UTC · 0 stars
Proof of concept of CVE-2017-5638 including the whole setup of the Apache vulnerable server
github · Created 2024-09-04 19:59:29 UTC · 1 stars
This repository provides a PoC for CVE-2017-5638, a remote code execution vulnerability in Apache Struts 2, exploitable via a crafted Content-Type HTTP header.
github · Created 2023-05-10 22:48:58 UTC · 0 stars
A exploit for CVE-2017-5638. This exploit works on versions 2.3.5-2.3.31 and 2.5 – 2.5.10
github · Created 2023-03-02 04:37:09 UTC · 0 stars
An exploit for CVE-2017-5638
github · Created 2022-12-21 21:14:12 UTC · 0 stars
this exemple of application permet to test the vunerability CVE_2017-5638
github · Created 2022-03-28 07:58:31 UTC · 0 stars
github · Created 2022-02-28 14:49:52 UTC · 0 stars
This script is intended to validate Apache Struts 2 vulnerability (CVE-2017-5638), AKA Struts-Shock.
github · Created 2021-06-24 05:41:45 UTC · 0 stars
github · Created 2020-12-06 16:16:43 UTC · 1 stars
PoC for CVE: 2017-5638 - Apache Struts2 S2-045
github · Created 2019-03-22 23:25:49 UTC · 0 stars
CVE-2017-5638 (PoC Exploits)
github · Created 2018-11-22 04:02:59 UTC · 2 stars
github · Created 2018-06-24 22:40:54 UTC · 0 stars
github · Created 2018-05-13 16:13:26 UTC · 15 stars
Apache Struts 2.3.5 < 2.3.31 / 2.5 < 2.5.10 - Remote Code Execution - Shell Script
github · Created 2018-02-15 17:31:07 UTC · 6 stars
Struts02 s2-045 exploit program
github · Created 2018-01-28 05:17:04 UTC · 0 stars
Working POC for CVE 2017-5638
github · Created 2017-09-28 08:43:21 UTC · 1 stars
github · Created 2017-08-24 07:36:14 UTC · 0 stars
github · Created 2017-08-12 23:00:14 UTC · 0 stars
github · Created 2017-07-24 05:05:28 UTC · 3 stars
Exploit created by: R4v3nBl4ck end Pacman
github · Created 2017-06-30 09:55:41 UTC · 13 stars
github · Created 2017-06-30 09:40:31 UTC · 1 stars
github · Created 2017-06-13 06:59:15 UTC · 0 stars
CVE-2017-5638 Test environment
github · Created 2017-06-08 21:47:11 UTC · 0 stars
github · Created 2017-06-05 20:11:06 UTC · 0 stars
github · Created 2017-05-05 13:17:37 UTC · 7 stars
Apache Struts 2.0 RCE vulnerability - Allows an attacker to inject OS commands into a web application through the content-type header
github · Created 2017-03-18 09:39:59 UTC · 0 stars
github · Created 2017-03-13 11:39:55 UTC · 1 stars
Example PHP Exploiter for CVE-2017-5638
github · Created 2017-03-11 14:30:02 UTC · 8 stars
detection for Apache Struts recon and compromise
github · Created 2017-03-11 11:22:44 UTC · 0 stars
CVE: 2017-5638 in different formats
github · Created 2017-03-11 10:43:16 UTC · 0 stars
github · Created 2017-03-11 10:03:54 UTC · 0 stars
test struts2 vulnerability CVE-2017-5638 in Mac OS X
github · Created 2017-03-11 09:39:09 UTC · 2 stars
Tweaking original PoC (https://github.com/rapid7/metasploit-framework/issues/8064) to work on self-signed certificates
github · Created 2017-03-10 21:33:25 UTC · 35 stars
Demo Application and Exploit
nuclei · Created Unknown
Timeline
Key exploitation, disclosure, scanner coverage, and KEV attestation events for this CVE.
-
00:00 UTC 9 days ago00:00 UTC · 9 days ago
KEV confirmed by The Shadowserver
Exploitation attested by an external source
-
15:02 UTC about 1 year ago15:02 UTC · about 1 year ago
Metasploit module available
Exploit module available
-
00:00 UTC about 1 year ago00:00 UTC · about 1 year ago
Nuclei template available
Scanner coverage available
-
00:00 UTC over 4 years ago00:00 UTC · over 4 years ago
Added to CISA KEV
Listed in the CISA Known Exploited Vulnerabilities catalog
-
00:00 UTC over 4 years ago00:00 UTC · over 4 years ago
First public exploitation report
Exploit observed in malware
-
02:11 UTC over 9 years ago02:11 UTC · over 9 years ago
CVE published
Vulnerability disclosed publicly
-
21:33 UTC over 9 years ago21:33 UTC · over 9 years ago
Public PoC available
Public proof-of-concept code published
-
00:00 UTC over 9 years ago00:00 UTC · over 9 years ago
CVE ID reserved
Identifier reserved by the CNA
Automate This Intelligence with the Pro API
Confidence scoring, exploit status, sensor telemetry, PoCs, scanner integrations, mentions, and tags are available programmatically for VM, SOC, and CTI workflows.
Pro API Example
GET /api/v2/pro/kevs/CVE-2017-5638
{
"cve_id": "CVE-2017-5638",
"title": "The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x...",
"affected_vendor": "Apache Software Foundation",
"affected_product": "Apache Struts",
"affected_versions": [
{ "vendor": "...", "product": "...", "status": "affected", "display_label": "..." }
],
"confidence": "Confirmed",
"cvss_score": 9.8,
"epss_score": 0.99999,
"exploit_status": {
"exploited_in_the_wild": true,
"active_exploitation_observed": false
},
"sensor_telemetry": { "...": "Pro API fields" },
"proof_of_concepts": [ "..." ],
"scanner_integrations": [ "..." ]
}