CVE-2012-0391 — CRITICAL (9.8)

Q: How severe is CVE-2012-0391?

CVE-2012-0391 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2012-0391?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Struts.

Vulnerability Description

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Apache	Struts	< 2.2.3.1

Related Weaknesses (CWE)

CWE-94

References

http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.htmlBroken LinkExploit
http://secunia.com/advisories/47393Vendor Advisory
http://struts.apache.org/2.x/docs/s2-008.htmlVendor Advisory
http://struts.apache.org/2.x/docs/version-notes-2311.htmlVendor Advisory
http://www.exploit-db.com/exploits/18329Exploit
https://issues.apache.org/jira/browse/WW-3668Vendor Advisory
https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_VuBroken LinkExploit
http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.htmlBroken LinkExploit
http://secunia.com/advisories/47393Vendor Advisory
http://struts.apache.org/2.x/docs/s2-008.htmlVendor Advisory
http://struts.apache.org/2.x/docs/version-notes-2311.htmlVendor Advisory
http://www.exploit-db.com/exploits/18329Exploit
https://issues.apache.org/jira/browse/WW-3668Vendor Advisory
https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_VuBroken LinkExploit
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2012-US Government Resource

FAQ

What is CVE-2012-0391?

CVE-2012-0391 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows...

How severe is CVE-2012-0391?

CVE-2012-0391 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2012-0391?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Struts.