CVE-2017-5638

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.
References
Link Resource
http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html Exploit Third Party Advisory
http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution/ Exploit Third Party Advisory
http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-002.txt Third Party Advisory
http://www.eweek.com/security/apache-struts-vulnerability-under-attack.html Press/Media Coverage Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html Patch Third Party Advisory
http://www.securityfocus.com/bid/96729 Broken Link Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1037973 Broken Link Third Party Advisory VDB Entry
https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites/ Exploit Press/Media Coverage
https://cwiki.apache.org/confluence/display/WW/S2-045 Mitigation Vendor Advisory
https://cwiki.apache.org/confluence/display/WW/S2-046 Mitigation Vendor Advisory
https://exploit-db.com/exploits/41570 Exploit Third Party Advisory VDB Entry
https://git1-us-west.apache.org/repos/asf?p=struts.git%3Ba=commit%3Bh=352306493971e7d5a756d61780d57a76eb1f519a Broken Link
https://git1-us-west.apache.org/repos/asf?p=struts.git%3Ba=commit%3Bh=6b8272ce47160036ed120a48345d9aa884477228 Broken Link
https://github.com/mazen160/struts-pwn Exploit
https://github.com/rapid7/metasploit-framework/issues/8064 Exploit Issue Tracking
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03733en_us Broken Link
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03749en_us Third Party Advisory
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03723en_us Third Party Advisory
https://isc.sans.edu/diary/22169 Exploit Third Party Advisory
https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E Mailing List
https://nmap.org/nsedoc/scripts/http-vuln-cve2017-5638.html Exploit Third Party Advisory
https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt Exploit Third Party Advisory VDB Entry
https://security.netapp.com/advisory/ntap-20170310-0001/ Third Party Advisory
https://struts.apache.org/docs/s2-045.html Mitigation Vendor Advisory
https://struts.apache.org/docs/s2-046.html Mitigation Vendor Advisory
https://support.lenovo.com/us/en/product_security/len-14200 Third Party Advisory
https://twitter.com/theog150/status/841146956135124993 Broken Link Third Party Advisory
https://www.exploit-db.com/exploits/41614/ Exploit Third Party Advisory VDB Entry
https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/ Third Party Advisory
https://www.kb.cert.org/vuls/id/834067 Third Party Advisory US Government Resource
https://www.symantec.com/security-center/network-protection-security-advisories/SA145 Broken Link
http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html Exploit Third Party Advisory
http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution/ Exploit Third Party Advisory
http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-002.txt Third Party Advisory
http://www.eweek.com/security/apache-struts-vulnerability-under-attack.html Press/Media Coverage Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html Patch Third Party Advisory
http://www.securityfocus.com/bid/96729 Broken Link Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1037973 Broken Link Third Party Advisory VDB Entry
https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites/ Exploit Press/Media Coverage
https://cwiki.apache.org/confluence/display/WW/S2-045 Mitigation Vendor Advisory
https://cwiki.apache.org/confluence/display/WW/S2-046 Mitigation Vendor Advisory
https://exploit-db.com/exploits/41570 Exploit Third Party Advisory VDB Entry
https://git1-us-west.apache.org/repos/asf?p=struts.git%3Ba=commit%3Bh=352306493971e7d5a756d61780d57a76eb1f519a Broken Link
https://git1-us-west.apache.org/repos/asf?p=struts.git%3Ba=commit%3Bh=6b8272ce47160036ed120a48345d9aa884477228 Broken Link
https://github.com/mazen160/struts-pwn Exploit
https://github.com/rapid7/metasploit-framework/issues/8064 Exploit Issue Tracking
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03733en_us Broken Link
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03749en_us Third Party Advisory
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03723en_us Third Party Advisory
https://isc.sans.edu/diary/22169 Exploit Third Party Advisory
https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E Mailing List
https://nmap.org/nsedoc/scripts/http-vuln-cve2017-5638.html Exploit Third Party Advisory
https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt Exploit Third Party Advisory VDB Entry
https://security.netapp.com/advisory/ntap-20170310-0001/ Third Party Advisory
https://struts.apache.org/docs/s2-045.html Mitigation Vendor Advisory
https://struts.apache.org/docs/s2-046.html Mitigation Vendor Advisory
https://support.lenovo.com/us/en/product_security/len-14200 Third Party Advisory
https://twitter.com/theog150/status/841146956135124993 Broken Link Third Party Advisory
https://www.exploit-db.com/exploits/41614/ Exploit Third Party Advisory VDB Entry
https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/ Third Party Advisory
https://www.kb.cert.org/vuls/id/834067 Third Party Advisory US Government Resource
https://www.symantec.com/security-center/network-protection-security-advisories/SA145 Broken Link
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
OR cpe:2.3:o:ibm:storwize_v3500_firmware:7.7.1.6:*:*:*:*:*:*:*
cpe:2.3:o:ibm:storwize_v3500_firmware:7.8.1.0:*:*:*:*:*:*:*
cpe:2.3:h:ibm:storwize_v3500:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
OR cpe:2.3:o:ibm:storwize_v5000_firmware:7.7.1.6:*:*:*:*:*:*:*
cpe:2.3:o:ibm:storwize_v5000_firmware:7.8.1.0:*:*:*:*:*:*:*
cpe:2.3:h:ibm:storwize_v5000:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
OR cpe:2.3:o:ibm:storwize_v7000_firmware:7.7.1.6:*:*:*:*:*:*:*
cpe:2.3:o:ibm:storwize_v7000_firmware:7.8.1.0:*:*:*:*:*:*:*
cpe:2.3:h:ibm:storwize_v7000:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
OR cpe:2.3:o:lenovo:storage_v5030_firmware:7.7.1.6:*:*:*:*:*:*:*
cpe:2.3:o:lenovo:storage_v5030_firmware:7.8.1.0:*:*:*:*:*:*:*
cpe:2.3:h:lenovo:storage_v5030:-:*:*:*:*:*:*:*

Configuration 6 (hide)

OR cpe:2.3:a:hp:server_automation:9.1.0:*:*:*:*:*:*:*
cpe:2.3:a:hp:server_automation:10.0.0:*:*:*:*:*:*:*
cpe:2.3:a:hp:server_automation:10.1.0:*:*:*:*:*:*:*
cpe:2.3:a:hp:server_automation:10.2.0:*:*:*:*:*:*:*
cpe:2.3:a:hp:server_automation:10.5.0:*:*:*:*:*:*:*

Configuration 7 (hide)

OR cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:12.2.1.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:12.2.1.2.0:*:*:*:*:*:*:*

Configuration 8 (hide)

cpe:2.3:a:arubanetworks:clearpass_policy_manager:*:*:*:*:*:*:*:*

Configuration 9 (hide)

cpe:2.3:a:netapp:oncommand_balance:-:*:*:*:*:*:*:*

History

21 Nov 2024, 03:28

Type Values Removed Values Added
References () http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html - Exploit, Third Party Advisory () http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html - Exploit, Third Party Advisory
References () http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution/ - Exploit, Third Party Advisory () http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution/ - Exploit, Third Party Advisory
References () http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-002.txt - Third Party Advisory () http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-002.txt - Third Party Advisory
References () http://www.eweek.com/security/apache-struts-vulnerability-under-attack.html - Press/Media Coverage, Third Party Advisory () http://www.eweek.com/security/apache-struts-vulnerability-under-attack.html - Press/Media Coverage, Third Party Advisory
References () http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html - Patch, Third Party Advisory () http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html - Patch, Third Party Advisory
References () http://www.securityfocus.com/bid/96729 - Broken Link, Third Party Advisory, VDB Entry () http://www.securityfocus.com/bid/96729 - Broken Link, Third Party Advisory, VDB Entry
References () http://www.securitytracker.com/id/1037973 - Broken Link, Third Party Advisory, VDB Entry () http://www.securitytracker.com/id/1037973 - Broken Link, Third Party Advisory, VDB Entry
References () https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites/ - Exploit, Press/Media Coverage () https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites/ - Exploit, Press/Media Coverage
References () https://cwiki.apache.org/confluence/display/WW/S2-045 - Mitigation, Vendor Advisory () https://cwiki.apache.org/confluence/display/WW/S2-045 - Mitigation, Vendor Advisory
References () https://cwiki.apache.org/confluence/display/WW/S2-046 - Mitigation, Vendor Advisory () https://cwiki.apache.org/confluence/display/WW/S2-046 - Mitigation, Vendor Advisory
References () https://exploit-db.com/exploits/41570 - Exploit, Third Party Advisory, VDB Entry () https://exploit-db.com/exploits/41570 - Exploit, Third Party Advisory, VDB Entry
References () https://git1-us-west.apache.org/repos/asf?p=struts.git%3Ba=commit%3Bh=352306493971e7d5a756d61780d57a76eb1f519a - Broken Link () https://git1-us-west.apache.org/repos/asf?p=struts.git%3Ba=commit%3Bh=352306493971e7d5a756d61780d57a76eb1f519a - Broken Link
References () https://git1-us-west.apache.org/repos/asf?p=struts.git%3Ba=commit%3Bh=6b8272ce47160036ed120a48345d9aa884477228 - Broken Link () https://git1-us-west.apache.org/repos/asf?p=struts.git%3Ba=commit%3Bh=6b8272ce47160036ed120a48345d9aa884477228 - Broken Link
References () https://github.com/mazen160/struts-pwn - Exploit () https://github.com/mazen160/struts-pwn - Exploit
References () https://github.com/rapid7/metasploit-framework/issues/8064 - Exploit, Issue Tracking () https://github.com/rapid7/metasploit-framework/issues/8064 - Exploit, Issue Tracking
References () https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03733en_us - Broken Link () https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03733en_us - Broken Link
References () https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03749en_us - Third Party Advisory () https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03749en_us - Third Party Advisory
References () https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03723en_us - Third Party Advisory () https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03723en_us - Third Party Advisory
References () https://isc.sans.edu/diary/22169 - Exploit, Third Party Advisory () https://isc.sans.edu/diary/22169 - Exploit, Third Party Advisory
References () https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E - Mailing List () https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E - Mailing List
References () https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E - Mailing List () https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E - Mailing List
References () https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E - Mailing List () https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E - Mailing List
References () https://nmap.org/nsedoc/scripts/http-vuln-cve2017-5638.html - Exploit, Third Party Advisory () https://nmap.org/nsedoc/scripts/http-vuln-cve2017-5638.html - Exploit, Third Party Advisory
References () https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt - Exploit, Third Party Advisory, VDB Entry () https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt - Exploit, Third Party Advisory, VDB Entry
References () https://security.netapp.com/advisory/ntap-20170310-0001/ - Third Party Advisory () https://security.netapp.com/advisory/ntap-20170310-0001/ - Third Party Advisory
References () https://struts.apache.org/docs/s2-045.html - Mitigation, Vendor Advisory () https://struts.apache.org/docs/s2-045.html - Mitigation, Vendor Advisory
References () https://struts.apache.org/docs/s2-046.html - Mitigation, Vendor Advisory () https://struts.apache.org/docs/s2-046.html - Mitigation, Vendor Advisory
References () https://support.lenovo.com/us/en/product_security/len-14200 - Third Party Advisory () https://support.lenovo.com/us/en/product_security/len-14200 - Third Party Advisory
References () https://twitter.com/theog150/status/841146956135124993 - Broken Link, Third Party Advisory () https://twitter.com/theog150/status/841146956135124993 - Broken Link, Third Party Advisory
References () https://www.exploit-db.com/exploits/41614/ - Exploit, Third Party Advisory, VDB Entry () https://www.exploit-db.com/exploits/41614/ - Exploit, Third Party Advisory, VDB Entry
References () https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/ - Third Party Advisory () https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/ - Third Party Advisory
References () https://www.kb.cert.org/vuls/id/834067 - Third Party Advisory, US Government Resource () https://www.kb.cert.org/vuls/id/834067 - Third Party Advisory, US Government Resource
References () https://www.symantec.com/security-center/network-protection-security-advisories/SA145 - Broken Link () https://www.symantec.com/security-center/network-protection-security-advisories/SA145 - Broken Link

25 Jul 2024, 13:58

Type Values Removed Values Added
CVSS v2 : 10.0
v3 : 10.0
v2 : 10.0
v3 : 9.8
CWE CWE-20 CWE-755
First Time Lenovo storage V5030 Firmware
Ibm storwize V5000 Firmware
Ibm
Hp
Ibm storwize V7000
Netapp oncommand Balance
Arubanetworks
Ibm storwize V3500 Firmware
Oracle
Ibm storwize V7000 Firmware
Ibm storwize V5000
Oracle weblogic Server
Lenovo storage V5030
Hp server Automation
Lenovo
Arubanetworks clearpass Policy Manager
Ibm storwize V3500
Netapp
References () http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html - Technical Description, Third Party Advisory () http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html - Exploit, Third Party Advisory
References () http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution/ - Technical Description, Third Party Advisory () http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution/ - Exploit, Third Party Advisory
References () http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-002.txt - () http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-002.txt - Third Party Advisory
References () http://www.eweek.com/security/apache-struts-vulnerability-under-attack.html - Press/Media Coverage () http://www.eweek.com/security/apache-struts-vulnerability-under-attack.html - Press/Media Coverage, Third Party Advisory
References () http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html - () http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html - Patch, Third Party Advisory
References () http://www.securityfocus.com/bid/96729 - Third Party Advisory, VDB Entry () http://www.securityfocus.com/bid/96729 - Broken Link, Third Party Advisory, VDB Entry
References () http://www.securitytracker.com/id/1037973 - () http://www.securitytracker.com/id/1037973 - Broken Link, Third Party Advisory, VDB Entry
References () https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites/ - Press/Media Coverage () https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites/ - Exploit, Press/Media Coverage
References () https://cwiki.apache.org/confluence/display/WW/S2-046 - () https://cwiki.apache.org/confluence/display/WW/S2-046 - Mitigation, Vendor Advisory
References () https://exploit-db.com/exploits/41570 - Exploit, VDB Entry () https://exploit-db.com/exploits/41570 - Exploit, Third Party Advisory, VDB Entry
References () https://git1-us-west.apache.org/repos/asf?p=struts.git%3Ba=commit%3Bh=352306493971e7d5a756d61780d57a76eb1f519a - () https://git1-us-west.apache.org/repos/asf?p=struts.git%3Ba=commit%3Bh=352306493971e7d5a756d61780d57a76eb1f519a - Broken Link
References () https://git1-us-west.apache.org/repos/asf?p=struts.git%3Ba=commit%3Bh=6b8272ce47160036ed120a48345d9aa884477228 - () https://git1-us-west.apache.org/repos/asf?p=struts.git%3Ba=commit%3Bh=6b8272ce47160036ed120a48345d9aa884477228 - Broken Link
References () https://github.com/rapid7/metasploit-framework/issues/8064 - Exploit () https://github.com/rapid7/metasploit-framework/issues/8064 - Exploit, Issue Tracking
References () https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03733en_us - () https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03733en_us - Broken Link
References () https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03749en_us - () https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03749en_us - Third Party Advisory
References () https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03723en_us - () https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03723en_us - Third Party Advisory
References () https://isc.sans.edu/diary/22169 - Technical Description, Third Party Advisory () https://isc.sans.edu/diary/22169 - Exploit, Third Party Advisory
References () https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E - () https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E - Mailing List
References () https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E - () https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E - Mailing List
References () https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E - () https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E - Mailing List
References () https://nmap.org/nsedoc/scripts/http-vuln-cve2017-5638.html - Third Party Advisory () https://nmap.org/nsedoc/scripts/http-vuln-cve2017-5638.html - Exploit, Third Party Advisory
References () https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt - Exploit, VDB Entry () https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt - Exploit, Third Party Advisory, VDB Entry
References () https://security.netapp.com/advisory/ntap-20170310-0001/ - () https://security.netapp.com/advisory/ntap-20170310-0001/ - Third Party Advisory
References () https://struts.apache.org/docs/s2-045.html - () https://struts.apache.org/docs/s2-045.html - Mitigation, Vendor Advisory
References () https://struts.apache.org/docs/s2-046.html - () https://struts.apache.org/docs/s2-046.html - Mitigation, Vendor Advisory
References () https://support.lenovo.com/us/en/product_security/len-14200 - () https://support.lenovo.com/us/en/product_security/len-14200 - Third Party Advisory
References () https://twitter.com/theog150/status/841146956135124993 - Third Party Advisory () https://twitter.com/theog150/status/841146956135124993 - Broken Link, Third Party Advisory
References () https://www.exploit-db.com/exploits/41614/ - () https://www.exploit-db.com/exploits/41614/ - Exploit, Third Party Advisory, VDB Entry
References () https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/ - () https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/ - Third Party Advisory
References () https://www.kb.cert.org/vuls/id/834067 - () https://www.kb.cert.org/vuls/id/834067 - Third Party Advisory, US Government Resource
References () https://www.symantec.com/security-center/network-protection-security-advisories/SA145 - () https://www.symantec.com/security-center/network-protection-security-advisories/SA145 - Broken Link
CPE cpe:2.3:a:apache:struts:2.3.14:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.20.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.15:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.12:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.16:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.19:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.24.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.30:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.16.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.20.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.22:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.21:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.20.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.13:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.14.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.15.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.5.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.31:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.24.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.5.9:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.28.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.29:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.5.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.14.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.28:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.14.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.5.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.5.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.23:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.5.10:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.17:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.16.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.10:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.5.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.20:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.25:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.26:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.5.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.9:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.5.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.5.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.11:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.15.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.16.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.24:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.24.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.27:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:2.3.15.3:*:*:*:*:*:*:*
cpe:2.3:o:ibm:storwize_v5000_firmware:7.7.1.6:*:*:*:*:*:*:*
cpe:2.3:h:ibm:storwize_v7000:-:*:*:*:*:*:*:*
cpe:2.3:a:hp:server_automation:10.2.0:*:*:*:*:*:*:*
cpe:2.3:o:ibm:storwize_v5000_firmware:7.8.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:12.2.1.2.0:*:*:*:*:*:*:*
cpe:2.3:h:ibm:storwize_v3500:-:*:*:*:*:*:*:*
cpe:2.3:a:arubanetworks:clearpass_policy_manager:*:*:*:*:*:*:*:*
cpe:2.3:o:ibm:storwize_v3500_firmware:7.8.1.0:*:*:*:*:*:*:*
cpe:2.3:a:netapp:oncommand_balance:-:*:*:*:*:*:*:*
cpe:2.3:a:hp:server_automation:10.5.0:*:*:*:*:*:*:*
cpe:2.3:a:hp:server_automation:10.0.0:*:*:*:*:*:*:*
cpe:2.3:o:lenovo:storage_v5030_firmware:7.7.1.6:*:*:*:*:*:*:*
cpe:2.3:a:hp:server_automation:10.1.0:*:*:*:*:*:*:*
cpe:2.3:a:hp:server_automation:9.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:12.2.1.1.0:*:*:*:*:*:*:*
cpe:2.3:o:ibm:storwize_v3500_firmware:7.7.1.6:*:*:*:*:*:*:*
cpe:2.3:o:ibm:storwize_v7000_firmware:7.8.1.0:*:*:*:*:*:*:*
cpe:2.3:o:ibm:storwize_v7000_firmware:7.7.1.6:*:*:*:*:*:*:*
cpe:2.3:h:ibm:storwize_v5000:-:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
cpe:2.3:o:lenovo:storage_v5030_firmware:7.8.1.0:*:*:*:*:*:*:*
cpe:2.3:h:lenovo:storage_v5030:-:*:*:*:*:*:*:*

07 Nov 2023, 02:49

Type Values Removed Values Added
References
  • {'url': 'https://git1-us-west.apache.org/repos/asf?p=struts.git;a=commit;h=352306493971e7d5a756d61780d57a76eb1f519a', 'name': 'https://git1-us-west.apache.org/repos/asf?p=struts.git;a=commit;h=352306493971e7d5a756d61780d57a76eb1f519a', 'tags': ['Patch'], 'refsource': 'CONFIRM'}
  • {'url': 'https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E', 'name': '[announce] 20200131 Apache Software Foundation Security Report: 2019', 'tags': [], 'refsource': 'MLIST'}
  • {'url': 'https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7@%3Cannounce.apache.org%3E', 'name': '[announce] 20210223 Re: Apache Software Foundation Security Report: 2020', 'tags': [], 'refsource': 'MLIST'}
  • {'url': 'https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922@%3Cannounce.apache.org%3E', 'name': '[announce] 20210125 Apache Software Foundation Security Report: 2020', 'tags': [], 'refsource': 'MLIST'}
  • {'url': 'https://git1-us-west.apache.org/repos/asf?p=struts.git;a=commit;h=6b8272ce47160036ed120a48345d9aa884477228', 'name': 'https://git1-us-west.apache.org/repos/asf?p=struts.git;a=commit;h=6b8272ce47160036ed120a48345d9aa884477228', 'tags': ['Patch'], 'refsource': 'CONFIRM'}
  • () https://git1-us-west.apache.org/repos/asf?p=struts.git%3Ba=commit%3Bh=6b8272ce47160036ed120a48345d9aa884477228 -
  • () https://git1-us-west.apache.org/repos/asf?p=struts.git%3Ba=commit%3Bh=352306493971e7d5a756d61780d57a76eb1f519a -
  • () https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E -
  • () https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E -
  • () https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E -

Information

Published : 2017-03-11 02:59

Updated : 2024-11-21 03:28


NVD link : CVE-2017-5638

Mitre link : CVE-2017-5638

CVE.ORG link : CVE-2017-5638


JSON object : View

Products Affected

ibm

  • storwize_v7000
  • storwize_v5000_firmware
  • storwize_v3500_firmware
  • storwize_v7000_firmware
  • storwize_v3500
  • storwize_v5000

arubanetworks

  • clearpass_policy_manager

lenovo

  • storage_v5030
  • storage_v5030_firmware

oracle

  • weblogic_server

apache

  • struts

netapp

  • oncommand_balance

hp

  • server_automation
CWE
CWE-755

Improper Handling of Exceptional Conditions