Back to KEVs

CVE-2017-5638

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message...

Basic Information

CVE State
PUBLISHED
Reserved Date
January 29, 2017
Published Date
March 11, 2017
Last Updated
February 06, 2025
Vendor
Apache Software Foundation
Product
Apache Struts
Description
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.
Tags
apache cisa malware ransomware nuclei_scanner metasploit_scanner

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2.0

10.0

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

SSVC Information

Exploitation
active
Automatable
Yes
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2025-05-06 00:00:00 UTC) Source
Proof of Concept Available
Yes (added 2023-05-10 22:48:58 UTC) Source
Used in Malware
Yes (added 2021-11-03 00:00:00 UTC) Source

References

https://nmap.org/nsedoc/scripts/http-vuln-cve2017-5638.html http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-002.txt https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites/ https://exploit-db.com/exploits/41570 https://security.netapp.com/advisory/ntap-20170310-0001/ https://github.com/rapid7/metasploit-framework/issues/8064 https://struts.apache.org/docs/s2-046.html http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/ https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03733en_us https://www.kb.cert.org/vuls/id/834067 https://isc.sans.edu/diary/22169 https://struts.apache.org/docs/s2-045.html http://www.securitytracker.com/id/1037973 http://www.eweek.com/security/apache-struts-vulnerability-under-attack.html http://www.securityfocus.com/bid/96729 https://twitter.com/theog150/status/841146956135124993 https://github.com/mazen160/struts-pwn https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt https://www.symantec.com/security-center/network-protection-security-advisories/SA145 https://support.lenovo.com/us/en/product_security/len-14200 https://git1-us-west.apache.org/repos/asf?p=struts.git%3Ba=commit%3Bh=352306493971e7d5a756d61780d57a76eb1f519a https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03723en_us https://git1-us-west.apache.org/repos/asf?p=struts.git%3Ba=commit%3Bh=6b8272ce47160036ed120a48345d9aa884477228 https://cwiki.apache.org/confluence/display/WW/S2-045 https://www.exploit-db.com/exploits/41614/ https://cwiki.apache.org/confluence/display/WW/S2-046 http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03749en_us http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution/ https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E

Known Exploited Vulnerability Information

Source Added Date
CISA 2021-11-03 00:00:00 UTC

Scanner Integrations

Scanner URL Date Detected
Metasploit https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts2_content_type_ognl.rb 2025-04-29 11:01:23 UTC
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2017/CVE-2017-5638.yaml 2025-04-26 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

struts2_content_type_ognl

Type: metasploit • Created: Unknown

Metasploit module for CVE-2017-5638

Xernary/CVE-2017-5638-POC

Type: github • Created: 2024-12-08 17:22:38 UTC • Stars: 0

Proof of concept of CVE-2017-5638 including the whole setup of the Apache vulnerable server

kloutkake/CVE-2017-5638-PoC

Type: github • Created: 2024-09-04 19:59:29 UTC • Stars: 1

This repository provides a PoC for CVE-2017-5638, a remote code execution vulnerability in Apache Struts 2, exploitable via a crafted Content-Type HTTP header.

FredBrave/CVE-2017-5638-ApacheStruts2.3.5

Type: github • Created: 2023-05-10 22:48:58 UTC • Stars: 0

A exploit for CVE-2017-5638. This exploit works on versions 2.3.5-2.3.31 and 2.5 – 2.5.10

mritunjay-k/CVE-2017-5638

Type: github • Created: 2023-03-02 04:37:09 UTC • Stars: 0

An exploit for CVE-2017-5638

mfdev-solution/Exploit-CVE-2017-5638

Type: github • Created: 2022-12-21 21:14:12 UTC • Stars: 0

this exemple of application permet to test the vunerability CVE_2017-5638

Tankirat/CVE-2017-5638

Type: github • Created: 2022-03-28 07:58:31 UTC • Stars: 0

readloud/CVE-2017-5638

Type: github • Created: 2022-02-28 14:49:52 UTC • Stars: 0

This script is intended to validate Apache Struts 2 vulnerability (CVE-2017-5638), AKA Struts-Shock.

Badbird3/CVE-2017-5638

Type: github • Created: 2021-06-24 05:41:45 UTC • Stars: 0

jongmartinez/CVE-2017-5638

Type: github • Created: 2020-12-06 16:16:43 UTC • Stars: 1

PoC for CVE: 2017-5638 - Apache Struts2 S2-045

colorblindpentester/CVE-2017-5638

Type: github • Created: 2019-03-22 23:25:49 UTC • Stars: 0

CVE-2017-5638 (PoC Exploits)

un4ckn0wl3z/CVE-2017-5638

Type: github • Created: 2018-11-22 04:02:59 UTC • Stars: 2

leandrocamposcardoso/CVE-2017-5638-Mass-Exploit

Type: github • Created: 2018-06-24 22:40:54 UTC • Stars: 0

win3zz/CVE-2017-5638

Type: github • Created: 2018-05-13 16:13:26 UTC • Stars: 15

Apache Struts 2.3.5 < 2.3.31 / 2.5 < 2.5.10 - Remote Code Execution - Shell Script

0x00-0x00/CVE-2017-5638

Type: github • Created: 2018-02-15 17:31:07 UTC • Stars: 6

Struts02 s2-045 exploit program

cafnet/apache-struts-v2-CVE-2017-5638

Type: github • Created: 2018-01-28 05:17:04 UTC • Stars: 0

Working POC for CVE 2017-5638

lizhi16/CVE-2017-5638

Type: github • Created: 2017-09-28 08:43:21 UTC • Stars: 1

Xhendos/CVE-2017-5638

Type: github • Created: 2017-08-12 23:00:14 UTC • Stars: 0

R4v3nBl4ck/Apache-Struts-2-CVE-2017-5638-Exploit-

Type: github • Created: 2017-07-24 05:05:28 UTC • Stars: 3

Exploit created by: R4v3nBl4ck end Pacman

sUbc0ol/Apache-Struts2-RCE-Exploit-v2-CVE-2017-5638

Type: github • Created: 2017-06-30 09:55:41 UTC • Stars: 13

sUbc0ol/Apache-Struts-CVE-2017-5638-RCE-Mass-Scanner

Type: github • Created: 2017-06-30 09:40:31 UTC • Stars: 1

eeehit/CVE-2017-5638

Type: github • Created: 2017-06-13 06:59:15 UTC • Stars: 0

CVE-2017-5638 Test environment

homjxi0e/CVE-2017-5638

Type: github • Created: 2017-06-08 21:47:11 UTC • Stars: 0

AndreasKl/CVE-2017-5638

Type: github • Created: 2017-06-05 20:11:06 UTC • Stars: 0

payatu/CVE-2017-5638

Type: github • Created: 2017-05-05 13:17:37 UTC • Stars: 7

Apache Struts 2.0 RCE vulnerability - Allows an attacker to inject OS commands into a web application through the content-type header

bhagdave/CVE-2017-5638

Type: github • Created: 2017-03-18 09:39:59 UTC • Stars: 0

oktavianto/CVE-2017-5638-Apache-Struts2

Type: github • Created: 2017-03-13 11:39:55 UTC • Stars: 1

Example PHP Exploiter for CVE-2017-5638

initconf/CVE-2017-5638_struts

Type: github • Created: 2017-03-11 14:30:02 UTC • Stars: 8

detection for Apache Struts recon and compromise

random-robbie/CVE-2017-5638

Type: github • Created: 2017-03-11 11:22:44 UTC • Stars: 0

CVE: 2017-5638 in different formats

jrrombaldo/CVE-2017-5638

Type: github • Created: 2017-03-11 10:43:16 UTC • Stars: 0

sjitech/test_struts2_vulnerability_CVE-2017-5638

Type: github • Created: 2017-03-11 10:03:54 UTC • Stars: 0

test struts2 vulnerability CVE-2017-5638 in Mac OS X

immunio/apache-struts2-CVE-2017-5638

Type: github • Created: 2017-03-10 21:33:25 UTC • Stars: 35

Demo Application and Exploit

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Exploit Used in Malware

  • Added to KEVIntel

  • Proof of Concept Exploit Available

  • Detected by Nuclei

  • Detected by Metasploit