admin/GobyVuls
1
0
Fork 0
mirror of https://github.com/gobysec/GobyVuls.git synced 2025-06-20 18:00:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add S2-046(CVE-2017-5638)

Browse Source
This commit is contained in:
tardc 2020-04-13 14:58:13 +08:00
parent 2e0671dd95
commit 09cf930001
2 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
Struts2/S2-046(CVE-2017-5638)/README.md Normal file
View File

@ -0,0 +1,12 @@
# S2-046 (CVE-2017-5638) Remote Code Execution Vulnerability
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.
Affected version: Apache Struts2 2.3.5 - 2.3.31 and 2.5.x - 2.5.10
FOFA query rule: app="Struts2"
# Demo
![](S2-046.gif)

BIN
Struts2/S2-046(CVE-2017-5638)/S2-046.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.8 MiB