The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.
                
            References
                    Configurations
                    Configuration 1 (hide)
| 
 | 
Configuration 2 (hide)
| AND | 
 
 | 
Configuration 3 (hide)
| AND | 
 
 | 
Configuration 4 (hide)
| AND | 
 
 | 
Configuration 5 (hide)
| AND | 
 
 | 
Configuration 6 (hide)
| 
 | 
Configuration 7 (hide)
| 
 | 
Configuration 8 (hide)
| 
 | 
Configuration 9 (hide)
| 
 | 
History
                    22 Oct 2025, 00:16
| Type | Values Removed | Values Added | 
|---|---|---|
| References | 
 | 
21 Oct 2025, 20:16
| Type | Values Removed | Values Added | 
|---|---|---|
| References | 
 | 
21 Oct 2025, 19:17
| Type | Values Removed | Values Added | 
|---|---|---|
| References | 
 | 
Information
                Published : 2017-03-11 02:59
Updated : 2025-10-22 00:16
NVD link : CVE-2017-5638
Mitre link : CVE-2017-5638
CVE.ORG link : CVE-2017-5638
JSON object : View
Products Affected
                ibm
- storwize_v7000_firmware
- storwize_v5000_firmware
- storwize_v3500_firmware
- storwize_v3500
- storwize_v5000
- storwize_v7000
lenovo
- storage_v5030_firmware
- storage_v5030
netapp
- oncommand_balance
apache
- struts
hp
- server_automation
oracle
- weblogic_server
arubanetworks
- clearpass_policy_manager
CWE
                
                    
                        
                        CWE-755
                        
            Improper Handling of Exceptional Conditions
