Description
Apache Struts 2 suffers from a Remote Code Execution (RCE) vulnerability, designated as S2-045. This vulnerability allows attackers to execute arbitrary commands on the server by exploiting a flaw in the way Apache Struts handles certain Content-Type values. When an invalid Content-Type value is provided, an exception is thrown, revealing an error message that can be leveraged by attackers.
Recommendation
To mitigate this vulnerability, if you are using the Jakarta-based file upload Multipart parser, it is recommended to upgrade to Apache Struts version 2.3.32 or 2.5.10.1, or newer versions.
References
- S2-045 - Apache Struts 2 Wiki
- Apache Struts
- CVE-2017-5638
- CWE-20
- CWE-78
- CAPEC-88
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Apache Struts 2 REST plugin XStream RCE S2-052 - CVE-2017-9805
- Apache Struts 2 Forced double OGNL evaluation S2-059 - CVE-2019-0230
- Apache Struts OGNL expression RCE S2-057 - CVE-2018-11776
- Apache Tomcat JSP Upload RCE - CVE-2017-12615, CVE-2017-12617
- Tags:
- RCE
- Struts
- Injection
Anything's wrong? Let us know Last updated on May 13, 2024