CVE-2017-5638 (High) detected in struts2-core-2.5.2.jar - autoclosed

[mend-bolt-for-github[bot]]

CVE-2017-5638 - High Severity Vulnerability

Vulnerable Library - struts2-core-2.5.2.jar

Apache Struts 2

Path to dependency file: libraryiotest/pom.xml

Path to vulnerable library: canner/.m2/repository/org/apache/struts/struts2-core/2.5.2/struts2-core-2.5.2.jar

Dependency Hierarchy: - :x: **struts2-core-2.5.2.jar** (Vulnerable Library)

Found in HEAD commit: 2261725ad0ac321067b88679992502404798af38

Vulnerability Details

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.

Publish Date: 2017-03-11

URL: CVE-2017-5638

CVSS 3 Score Details (10.0)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/apache/struts/tree/STRUTS_2_3_32/

Release Date: 2017-03-11

Fix Resolution: org.apache.struts:struts2-core:2.3.32,org.apache.struts:struts2-core:2.5.10.1

---

Step up your Open Source Security Game with WhiteSource here

[mend-bolt-for-github[bot]]

:heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.