Client Automation installation uses Apache Tomcat, so it can be affected by the vulnerability 'CVE-2017-5638'.
Is the Apache vulnerability CVE-2017-5638 affecting my Client Automation installation?
Client Automation 12.9 and above.
From the Apache Struts 2 Documentation S2-045, affected software’s are Struts 2.3.5 - Struts 2.3.31 and Struts 2.5 - Struts 2.5.10. Client Automation makes use of Struts 1.1 framework.
CVE-2017-5638 vulnerability report describes two Struts 2 framework classes which allow for the vulnerability (specifically the FileUploadInterceptor.java and LocalizedTextUtil.java classes). Client Automation currently makes use of the Struts 1.1, which do not make use the affected classes. The Struts-menu 2.3 library (though v2.3) is an independent library and the classes affected are not available in any Struts 1.x framework.
Therefore, Client Automation is not affected by this vulnerability.