Apache Struts 2 RCE S2-045

Impact: High

Description

Apache Struts 2 suffers from a Remote Code Execution (RCE) vulnerability, designated as S2-045. This vulnerability allows attackers to execute arbitrary commands on the server by exploiting a flaw in the way Apache Struts handles certain Content-Type values. When an invalid Content-Type value is provided, an exception is thrown, revealing an error message that can be leveraged by attackers.

Recommendation

To mitigate this vulnerability, if you are using the Jakarta-based file upload Multipart parser, it is recommended to upgrade to Apache Struts version 2.3.32 or 2.5.10.1, or newer versions.

References

Apache Struts
CVE-2017-5638
CWE-20
CWE-78
OWASP 2021-A3
OWASP 2021-A6
S2-045 - Apache Struts 2 Wiki

👉 You might also like:

Apache Struts 2 RCE S2-045

Description

Recommendation

References

Apache Struts 2 REST plugin XStream RCE S2-052 - CVE-2017-9805

Apache Struts 2 Forced double OGNL evaluation S2-059 - CVE-2019-0230

Apache Struts OGNL expression RCE S2-057 - CVE-2018-11776

Apache Tomcat JSP Upload RCE - CVE-2017-12615, CVE-2017-12617

This issue is available in SmartScanner Professional