Vulnerability Details : CVE-2012-0391
Public exploit exists!
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.
Vulnerability category: Input validation
Products affected by CVE-2012-0391
- cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*
CVE-2012-0391 is in the CISA Known Exploited Vulnerabilities Catalog
CISA vulnerability name:
Apache Struts 2 Improper Input Validation Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
The ExceptionDelegator component in Apache Struts 2 before 2.2.3.1 contains an improper input validation vulnerability that allows for remote code execution.
Notes:
https://nvd.nist.gov/vuln/detail/CVE-2012-0391
Added on
2022-01-21
Action due date
2022-07-21
Exploit prediction scoring system (EPSS) score for CVE-2012-0391
18.65%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 96 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2012-0391
-
Apache Struts Remote Command Execution
Disclosure Date: 2012-01-06First seen: 2020-04-26exploit/multi/http/struts_code_exec_exception_delegatorThis module exploits a remote command execution vulnerability in Apache Struts versions < 2.2.1.1. This issue is caused because the ExceptionDelegator interprets parameter values as OGNL expressions during certain exception handling for mismatched data types
CVSS scores for CVE-2012-0391
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.3
|
HIGH | AV:N/AC:M/Au:N/C:C/I:C/A:C |
8.6
|
10.0
|
NIST |
CWE ids for CVE-2012-0391
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2012-0391
-
http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html
Exploit
-
http://www.exploit-db.com/exploits/18329
Apache Struts 2 < 2.3.1 - Multiple Vulnerabilities - Multiple webapps ExploitExploit
-
http://struts.apache.org/2.x/docs/s2-008.html
S2-008 - DEPRECATED: Apache Struts 2 Documentation - Apache Software FoundationVendor Advisory
-
https://issues.apache.org/jira/browse/WW-3668
[WW-3668] Vulnerability: User input is evaluated as an OGNL expression when there's a conversion error. - ASF JIRAVendor Advisory
-
https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt
Page not found | SEC ConsultExploit
-
http://struts.apache.org/2.x/docs/version-notes-2311.html
Version Notes 2.3.11 - DEPRECATED: Apache Struts 2 Documentation - Apache Software FoundationVendor Advisory
Jump to