Think you have a false positive on this rule?

Sid 1-41818

Message

SERVER-APACHE Apache Struts remote code execution attempt

Summary

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.

Impact

CVSS base score 10.0 CVSS impact score 6.0 CVSS exploitability score 3.9 confidentialityImpact HIGH integrityImpact HIGH availabilityImpact HIGH

CVE-2017-5638:

CVSS base score 10.0

CVSS impact score 6.0

CVSS exploitability score 3.9

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

CVE-2017-9791:

CVSS base score 9.8

CVSS impact score 5.9

CVSS exploitability score 3.9

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Detailed information

CVE-2017-5638: The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.

CVE-2017-9791: The Struts 1 plugin in Apache Struts 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.

Affected systems

  • apache struts 2.3.5
  • apache struts 2.3.6
  • apache struts 2.3.7
  • apache struts 2.3.8
  • apache struts 2.3.9
  • apache struts 2.3.10
  • apache struts 2.3.11
  • apache struts 2.3.12
  • apache struts 2.3.13
  • apache struts 2.3.14
  • apache struts 2.3.14.1
  • apache struts 2.3.14.2
  • apache struts 2.3.14.3
  • apache struts 2.3.15
  • apache struts 2.3.15.1
  • apache struts 2.3.15.2
  • apache struts 2.3.15.3
  • apache struts 2.3.16
  • apache struts 2.3.16.1
  • apache struts 2.3.16.2
  • apache struts 2.3.16.3
  • apache struts 2.3.17
  • apache struts 2.3.19
  • apache struts 2.3.20
  • apache struts 2.3.20.1
  • apache struts 2.3.20.2
  • apache struts 2.3.20.3
  • apache struts 2.3.21
  • apache struts 2.3.22
  • apache struts 2.3.23
  • apache struts 2.3.24
  • apache struts 2.3.24.1
  • apache struts 2.3.24.2
  • apache struts 2.3.24.3
  • apache struts 2.3.25
  • apache struts 2.3.26
  • apache struts 2.3.27
  • apache struts 2.3.28
  • apache struts 2.3.28.1
  • apache struts 2.3.29
  • apache struts 2.3.30
  • apache struts 2.3.31
  • apache struts 2.5
  • apache struts 2.5.1
  • apache struts 2.5.2
  • apache struts 2.5.3
  • apache struts 2.5.4
  • apache struts 2.5.5
  • apache struts 2.5.6
  • apache struts 2.5.7
  • apache struts 2.5.8
  • apache struts 2.5.9
  • apache struts 2.5.10
  • apache struts 2.3.1
  • apache struts 2.3.1.1
  • apache struts 2.3.1.2
  • apache struts 2.3.3
  • apache struts 2.3.4
  • apache struts 2.3.4.1
  • apache struts 2.3.12.0
  • apache struts 2.3.32

Ease of attack

CVE-2017-5638:

Access Vector

Access Complexity

Authentication

CVE-2017-9791:

Access Vector

Access Complexity

Authentication

False positives

None known

False negatives

None known

Corrective action

Contributors

  • Talos research team.
  • This document was generated from data supplied by the national vulnerability database, a product of the national institute of standards and technology.
  • For more information see nvd.

Additional References

  • cwiki.apache.org/confluence/display/WW/S2-045