CVE-2012-0391
CRITICAL9.8⚠ KEVEPSS 87.5%Apache Struts Remote Java Code Execution
Published: 5/4/2022Modified: 5/5/2026Added to CISA KEV: 1/21/2022
Description
The `ExceptionDelegator` component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.
Affected packages (2)
- Maven/org.apache.struts:struts2-corefrom 0, < 2.2.3.1
- Maven/org.apache.struts.xwork:xwork-corefrom 0, < 2.2.3.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (13)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2012-0391
- PATCHhttps://github.com/apache/struts
- WEBhttp://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html
- WEBhttp://secunia.com/advisories/47393
- WEBhttps://github.com/apache/struts/commit/25e50069d60434a30395e3a98357ffba2bed427e
- WEBhttps://github.com/apache/struts/commit/5f54b8d087f5125d96838aafa5f64c2190e6885b
- WEBhttps://github.com/apache/struts/commit/b4265d369dc29d57a9f2846a85b26598e83f3892
- WEBhttps://issues.apache.org/jira/browse/WW-3668
- WEBhttp://struts.apache.org/2.x/docs/s2-008.html
- WEBhttp://struts.apache.org/2.x/docs/version-notes-2311.html
- WEBhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2012-0391
- WEBhttps://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt
- WEBhttp://www.exploit-db.com/exploits/18329