Exploit Paths
Grounded case

Apache Struts: input to execution

Attacker-controlled request data became code-like behavior. This case broadens the first case set beyond path and route control and shows direct execution influence clearly.

Path at a glance

How this route unfolds.

Starting condition

The attacker controls request metadata that the framework processes deeply.

Capability shift

That attacker-controlled data influences code-like behavior rather than remaining inert input.

Boundary effect

The route crosses from ordinary input handling into framework interpretation and execution behavior.

Strongest outcome

The surviving route reaches remote code execution.

Case metadata

Apache Struts

Primary CVE
CVE-2017-5638
Strongest primitive

Execution influence

Strongest outcome

Remote code execution

  • It is the strongest current execution-influence anchor in the project.
  • It shows that the exploit-path model is not only about path traversal and route normalization.
  • It gives the first case set a direct attacker-input-to-execution example that teaches the middle layer differently.
Actors and objects

What is in play.

Attacker-facing surface

The request surface is the input channel that carries the controlled data into the framework.

Reachable objects

Interpreter-like or execution-relevant framework behavior that should not have been directly steerable by untrusted input.

Trust and execution spheres

The route shifts from normal request processing into execution-relevant behavior inside the application framework.

Framework mapping

How this case maps into the model.

Primitive families

Execution influence / Data influence

Path roles

Foothold / Leverage gain

Outcome classes

Execution

  • Execution influence is the core primitive because the attacker is shaping behavior that crosses into execution semantics.
  • Data influence still matters because the route starts with input that changes how the framework interprets state.
  • This case shows why the case surface should handle more than traversal-style routes if the framework is going to stay general.
Qualifiers

What makes the route stay weak or get stronger.

  • The route is clearest when the focus stays on how attacker input becomes execution behavior, not on every historical detail of the incident.
  • It does not need a filesystem or route-space crossing to be valuable as a case page.
  • It broadens the surface by showing a different primitive family producing a similarly high-value outcome.
Source links

Trace the public record.

Apache Struts S2-045 bulletin

https://cwiki.apache.org/confluence/display/WW/S2-045

 NVD entry for CVE-2017-5638

https://nvd.nist.gov/vuln/detail/CVE-2017-5638
Back to reference Browse cases