CVE-2012-0391
CVE-2012-0391
In short
Apache Struts improperly processes user input as code during error handling, allowing attackers to execute arbitrary Java commands on the server. This is a critical vulnerability that can completely compromise the affected system.
Technical detail
The ExceptionDelegator in Apache Struts < 2.2.3.1 evaluates parameter values as OGNL expressions during exception handling triggered by type mismatches, enabling remote code execution without authentication. An attacker can craft parameters that exploit this expression language evaluation to execute arbitrary Java code with server privileges.
Summary generated and translated by AI from the official description.
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/apublic PoCs found — 3
cve_referencewww.exploit-db.com/exploits/18329unverifiedexploitdbwww.exploit-db.com/exploits/18984unverifiedexploitdbwww.exploit-db.com/exploits/18329unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.htmlhttp://secunia.com/advisories/47393https://issues.apache.org/jira/browse/WW-3668http://struts.apache.org/2.x/docs/s2-008.htmlhttp://struts.apache.org/2.x/docs/version-notes-2311.htmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2012-0391https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txthttp://www.exploit-db.com/exploits/18329