The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.
References
Link | Resource |
---|---|
http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html | Exploit |
http://secunia.com/advisories/47393 | Vendor Advisory |
http://struts.apache.org/2.x/docs/s2-008.html | Vendor Advisory |
http://struts.apache.org/2.x/docs/version-notes-2311.html | Vendor Advisory |
http://www.exploit-db.com/exploits/18329 | Exploit |
https://issues.apache.org/jira/browse/WW-3668 | Vendor Advisory |
https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt | Exploit |
http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html | Exploit |
http://secunia.com/advisories/47393 | Vendor Advisory |
http://struts.apache.org/2.x/docs/s2-008.html | Vendor Advisory |
http://struts.apache.org/2.x/docs/version-notes-2311.html | Vendor Advisory |
http://www.exploit-db.com/exploits/18329 | Exploit |
https://issues.apache.org/jira/browse/WW-3668 | Vendor Advisory |
https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt | Exploit |
Configurations
History
21 Nov 2024, 01:34
Type | Values Removed | Values Added |
---|---|---|
References | () http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html - Exploit | |
References | () http://secunia.com/advisories/47393 - Vendor Advisory | |
References | () http://struts.apache.org/2.x/docs/s2-008.html - Vendor Advisory | |
References | () http://struts.apache.org/2.x/docs/version-notes-2311.html - Vendor Advisory | |
References | () http://www.exploit-db.com/exploits/18329 - Exploit | |
References | () https://issues.apache.org/jira/browse/WW-3668 - Vendor Advisory | |
References | () https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt - Exploit |
Information
Published : 2012-01-08 15:55
Updated : 2024-11-21 01:34
NVD link : CVE-2012-0391
Mitre link : CVE-2012-0391
CVE.ORG link : CVE-2012-0391
JSON object : View
Products Affected
apache
- struts
CWE
CWE-20
Improper Input Validation