CVE-2017-5638

Apache Struts 2 2.3.x 2.3.32 dan oldin va 2.5.x 2.5.10.1 dan oldingi Jakarta ko‘p qismli tahlilchisi faylni yuklash urinishlarida noto‘g‘ri istisnolar va xato xabarlarini yaratishga ega bo‘lib, bu masofaviy tajovuzkorlarga o‘zboshimchalik bilan buyruqlarni ishlab chiqilgan Content, Content, Content yoki Content orqali bajarish imkonini beradi. Kontent-uzunligi HTTP sarlavhasi, 2017-yil mart oyida #cmd= qatorini oʻz ichiga olgan Content-Type sarlavhasi bilan tabiatda ishlatilgan.

CVSS Vector

Manbalar

• http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html
• http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution/
• http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-002.txt
• http://www.eweek.com/security/apache-struts-vulnerability-under-attack.html
• http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html