Vulnerability Details : CVE-2012-0838
Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field.
Vulnerability category: Input validationExecute code
Products affected by CVE-2012-0838
- cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2012-0838
1.89%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 87 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2012-0838
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
10.0
|
HIGH | AV:N/AC:L/Au:N/C:C/I:C/A:C |
10.0
|
10.0
|
NIST |
CWE ids for CVE-2012-0838
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2012-0838
-
http://jvndb.jvn.jp/jvndb/JVNDB-2012-000012
JVNDB-2012-000012 - JVN iPedia - 脆弱性対策情報データベースThird Party Advisory;VDB Entry
-
http://struts.apache.org/2.3.1.2/docs/s2-007.html
S2-007 - DEPRECATED: Apache Struts 2 Documentation - Apache Software FoundationVendor Advisory
-
http://jvn.jp/en/jp/JVN79099262/index.html
JVN#79099262: Apache Struts 2 vulnerable to an arbitrary Java method executionThird Party Advisory;VDB Entry
-
https://issues.apache.org/jira/browse/WW-3668
[WW-3668] Vulnerability: User input is evaluated as an OGNL expression when there's a conversion error. - ASF JIRAIssue Tracking;Vendor Advisory
Jump to