Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2012-0391

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.

Published

2012-01-08T15:55:01.217

Last Modified

2025-04-11T00:51:21.963

Status

Deferred

Source

[email protected]

Severity

CVSSv3.1: 9.8 (CRITICAL)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:C/I:C/A:C

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: COMPLETE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE

Exploitability Score

8.6

Impact Score

10.0

Weaknesses

Type: Primary
CWE-20
Type: Secondary
CWE-94

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	struts	< 2.2.3.1	Yes

References

http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html Exploit, Broken Link ([email protected])
http://secunia.com/advisories/47393 Vendor Advisory ([email protected])
http://struts.apache.org/2.x/docs/s2-008.html Vendor Advisory ([email protected])
http://struts.apache.org/2.x/docs/version-notes-2311.html Vendor Advisory ([email protected])
http://www.exploit-db.com/exploits/18329 Exploit ([email protected])
https://issues.apache.org/jira/browse/WW-3668 Vendor Advisory ([email protected])
https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt Exploit, Broken Link ([email protected])
http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html Exploit, Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/47393 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://struts.apache.org/2.x/docs/s2-008.html Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://struts.apache.org/2.x/docs/version-notes-2311.html Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.exploit-db.com/exploits/18329 Exploit (af854a3a-2127-422b-91ae-364da2661108)
https://issues.apache.org/jira/browse/WW-3668 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt Exploit, Broken Link (af854a3a-2127-422b-91ae-364da2661108)