CVE-2017-5638: Possible Remote Code Execution when performing file upload based on Jakarta Multipart parser.

March 11, 2017 (updated March 4, 2018)

The Jakarta Multipart parser in Apache has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header.

References

www.securityfocus.com/bid/96729
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638
cwiki.apache.org/confluence/display/WW/S2-045
exploit-db.com/exploits/41570
nvd.nist.gov/vuln/detail/CVE-2017-5638
packetstormsecurity.com/files/141494/S2-45-poc.py.txt

Detect and mitigate CVE-2017-5638 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →