We found results for “


Date: March 10, 2017


Apache Struts is a widely used open source web framework for developing robust Java applications. Its affected versions are vulnerable to a remote code execution attack that can result in complete system compromises.


The CVE-2017-5638 vulnerability exists because of how the Jakarta Multipart Parser, which is a component of the Apache Struts framework, mishandles Content-Type headers when uploading files. An attacker could exploit this flaw by sending a maliciously created Content-Type HTTP header in the request. Then, if the Jakarta Multipart Parser does not validate the file upload, an exception is thrown, which allows the perpetrator to perform remote code execution. The attacker could inject arbitrary commands in the Content-Type HTTP header, which gets executed on the susceptible servers—based on the privileges of the victim running the server. Authentication is not needed for an attacker to exploit this vulnerability.

Affected Environments

Apache Struts 2 2.3.x before 2.3.32 Apache Struts 2.5.x before


Apply a Servlet filtering mechanism that validates Content-Type and gets rid of any requests with strange values, which are not matching multipart/form-data Apply a different implementation mechanism for the Multipart parser Do away with the File Upload Interceptor from the stack—you can just create your own custom stack and make it to be the default


Upgrade to Apache Struts 2.3.32 or Patch web servers with the latest software versions

Language: Java

Good to know:


Input Validation


Upgrade Version

Upgrade to version org.apache.struts:struts2-core:2.3.32,org.apache.struts:struts2-core:

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Changed
Confidentiality (C): High
Integrity (I): High
Availability (A): High
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (AU): None
Confidentiality (C): Complete
Integrity (I): Complete
Availability (A): Complete
Additional information:

Related Resources (37)