CVE-2017-12611 Apache Struts Freemarker Tag Remote Code Execution Vulnerability (S2-053)




Apache Struts is an open-source Model-View-Controller (MVC) framework for creating elegant, modern Java web applications.

A RCE attack is possible when developer is using wrong construction in Freemarker tags (CVE-2017-12611). Affected software:
Struts 2.0.1 – Struts 2.3.33, Struts 2.5 – Struts 2.5.10

QID detection logic (Authenticated):
Detection looks for “struts core” jar files in deployed web applications directories and lib folder of Tomcat server. Once it successfully finds the jar file, version information is extracted from that jar files and compared.
Please note: Our detection does not support if the applications are deployed with server configuration unpackWARs=false.


A remote attacker could exploit this vulnerability to execute arbitrary code.


The vendor has released advisories and updates to fix these vulnerabilities.
Refer to the following link for further details: Apache Struts Announcements 07 September 2017

Following are links for downloading patches to fix the vulnerabilities:

S2-053 (Apache Struts )

Leave a Reply