One year after researchers saw the first attempts to exploit a critical remote code execution flaw affecting the Apache Struts 2 framework, hackers continue to scan the Web for vulnerable servers.
The vulnerability in question, tracked as CVE-2017-5638, affects Struts 2.3.5 through 2.3.31 and Struts 2.5 through 2.5.10. The security hole was addressed on March 6, 2017 with the release of versions 2.3.32 and 22.214.171.124.
The bug, caused due to improper handling of the Content-Type header, can be triggered when performing file uploads with the Jakarta Multipart parser, and it allows a …read more
Via:: Security Week