Vulnerability Details : CVE-2012-0394
Public exploit exists!
The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not "a security vulnerability itself.
Products affected by CVE-2012-0394
- cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2012-0394
94.89%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 99 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2012-0394
-
Apache Struts 2 Developer Mode OGNL Execution
Disclosure Date: 2012-01-06First seen: 2020-04-26exploit/multi/http/struts_dev_modeThis module exploits a remote command execution vulnerability in Apache Struts 2. The problem exists on applications running in developer mode, where the DebuggingInterceptor allows evaluation and execution of OGNL expressions, which allows remote attackers to execut
CVSS scores for CVE-2012-0394
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST |
CWE ids for CVE-2012-0394
-
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.Assigned by: nvd@nist.gov (Primary)
References for CVE-2012-0394
-
http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html
Broken Link
-
http://www.osvdb.org/78276
404 Not FoundBroken Link
-
http://www.exploit-db.com/exploits/18329
Apache Struts 2 < 2.3.1 - Multiple Vulnerabilities - Multiple webapps ExploitExploit;Third Party Advisory;VDB Entry
-
http://struts.apache.org/2.x/docs/s2-008.html
S2-008 - DEPRECATED: Apache Struts 2 Documentation - Apache Software FoundationVendor Advisory
-
https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt
Page not found | SEC ConsultBroken Link
-
http://struts.apache.org/2.x/docs/version-notes-2311.html
Version Notes 2.3.11 - DEPRECATED: Apache Struts 2 Documentation - Apache Software FoundationRelease Notes;Vendor Advisory
-
http://www.exploit-db.com/exploits/31434
Apache Struts - Developer Mode OGNL Execution (Metasploit) - Java remote ExploitExploit;Third Party Advisory;VDB Entry
Jump to