CVE-2012-0391: Apache Struts 2 Improper Input Validation Vulnerability
First published: Sun Jan 08 2012(Updated: )
The `ExceptionDelegator` component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.apache.struts.xwork:xwork-core | <2.2.3.1 | 2.2.3.1 |
| maven/org.apache.struts:struts2-core | <2.2.3.1 | 2.2.3.1 |
| Apache Struts 2 | >=2.0.0<2.2.3.1 | |
| Apache Struts 2 | <2.2.3.1 | |
| Apache Struts 2 Showcase |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2012-0391
- https://issues.apache.org/jira/browse/WW-3668
- https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt
- http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html
- http://struts.apache.org/2.x/docs/s2-008.html
- http://struts.apache.org/2.x/docs/version-notes-2311.html
- http://www.exploit-db.com/exploits/18329
- https://github.com/apache/struts/commit/25e50069d60434a30395e3a98357ffba2bed427e
- https://github.com/apache/struts/commit/5f54b8d087f5125d96838aafa5f64c2190e6885b
- https://github.com/apache/struts/commit/b4265d369dc29d57a9f2846a85b26598e83f3892
- https://github.com/advisories/GHSA-4wrr-9h5r-m92w (Advisory)
- http://secunia.com/advisories/47393
Frequently Asked Questions
What is the severity of CVE-2012-0391?
CVE-2012-0391 is classified as a critical vulnerability in Apache Struts.
How do I fix CVE-2012-0391?
To fix CVE-2012-0391, update Apache Struts to version 2.2.3.1 or later.
What types of attacks does CVE-2012-0391 enable?
CVE-2012-0391 allows remote attackers to execute arbitrary Java code via crafted parameters.
Which versions of Apache Struts are affected by CVE-2012-0391?
Apache Struts versions prior to 2.2.3.1 are affected by CVE-2012-0391.
What component of Apache Struts is vulnerable in CVE-2012-0391?
The vulnerable component in CVE-2012-0391 is the ExceptionDelegator component.
- collector/github-advisory-latest
- alias/GHSA-4wrr-9h5r-m92w
- alias/CVE-2012-0391
- collector/github-advisory
- agent/type
- agent/title
- agent/references
- agent/description
- agent/first-publish-date
- agent/author
- agent/trending
- agent/source
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/severity
- agent/event
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/softwarecombine
- collector/nvd-cve
- exploited/true
- collector/cisa-known-exploited
- source/CISA
- package-manager/maven
- vendor/apache
- canonical/apache struts 2
- version/apache struts 2/2.0.0
- canonical/apache struts 2 showcase