CVE-2012-0394

The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not "a security vulnerability itself.

CVSS v2.0 6.8 MEDIUM

6.8^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html	Broken Link
http://struts.apache.org/2.x/docs/s2-008.html	Vendor Advisory
http://struts.apache.org/2.x/docs/version-notes-2311.html	Release Notes Vendor Advisory
http://www.exploit-db.com/exploits/18329	Exploit Third Party Advisory VDB Entry
http://www.exploit-db.com/exploits/31434	Exploit Third Party Advisory VDB Entry
http://www.osvdb.org/78276	Broken Link
https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt	Broken Link

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*

History

07 Nov 2023, 02:09

Type	Values Removed	Values Added
Summary	DISPUTED The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not "a security vulnerability itself."	The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not "a security vulnerability itself.

Information

Published : 2012-01-08 15:55

Updated : 2024-08-06 19:15

NVD link : CVE-2012-0394

Mitre link : CVE-2012-0394

CVE.ORG link : CVE-2012-0394

JSON object : View

Products Affected

apache

struts

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

{"id": "CVE-2012-0394", "cveTags": [{"tags": ["disputed"], "sourceIdentifier": "cve@mitre.org"}], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2012-01-08T15:55:01.467", "references": [{"url": "http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html", "tags": ["Broken Link"], "source": "cve@mitre.org"}, {"url": "http://struts.apache.org/2.x/docs/s2-008.html", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://struts.apache.org/2.x/docs/version-notes-2311.html", "tags": ["Release Notes", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.exploit-db.com/exploits/18329", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "source": "cve@mitre.org"}, {"url": "http://www.exploit-db.com/exploits/31434", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "source": "cve@mitre.org"}, {"url": "http://www.osvdb.org/78276", "tags": ["Broken Link"], "source": "cve@mitre.org"}, {"url": "https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt", "tags": ["Broken Link"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not \"a security vulnerability itself."}, {"lang": "es", "value": "** CUESTIONADA ** El componente DebuggingInterceptor en Apache Struts antes de la versi\u00f3n v2.3.1.1, cuando se usa el modo desarrollador (developer), permite ejecutar comandos de su elecci\u00f3n a atacantes remotos a trav\u00e9s de vectores no especificados. NOTA: el vendedor indica que este comportamiento \"no es una vulnerabilidad de seguridad en si misma\"."}], "lastModified": "2024-08-06T19:15:29.580", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4A92C89B-0DAE-4288-AAC5-5A84D195B281", "versionEndIncluding": "2.3.17", "versionStartIncluding": "2.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}