Vulnerability Note VU#834067
Apache Struts 2 is vulnerable to remote code execution
Original Release date: 14 Mar 2017 | Last revised: 14 Mar 2017
Apache Struts, versions 2.3.5 – 2.3.31 and 2.5 – 2.5.10, is vulnerable to code injection leading to remote code execution (RCE).
CWE-94: Improper Control of Generation of Code – CVE-2017-5638
An attacker can execute arbitrary OGNL code included in the "Content-Type" header of a file upload.
This vulnerability is actively being exploited.
An unauthenticated remote attacker can execute arbitrary commands with the privileges of the user running Apache Struts.
Apply an update
Update to Apache Struts 2.3.32 or 126.96.36.199
If you are unable to update Struts, please see the workaround suggested by Apache here.
Vendor Information (Learn More)
VendorStatusDate NotifiedDate UpdatedApache StrutsAffected-14 Mar 2017If you are a vendor and your product is affected, let
CVSS Metrics (Learn More)
This document was written by Trent Novelly.
06 Mar 2017
Date First Published:
14 Mar 2017
Date Last Updated:
14 Mar 2017
FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email.