CVE-2012-0391

critical-risk

Published 2012-01-08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.

Do I need to act?

88.3% chance of exploitation in next 30 days

EPSS score — higher than 12% of all CVEs

CISA KEV: actively exploited in the wild

On the Known Exploited Vulnerabilities catalog — federal agencies must patch

2 public exploits available

18984, 18329

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (1)

Struts

Affected Vendors

Apache

References (15)

Broken Link http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html

Vendor Advisory http://secunia.com/advisories/47393

Vendor Advisory http://struts.apache.org/2.x/docs/s2-008.html

Vendor Advisory http://struts.apache.org/2.x/docs/version-notes-2311.html

Exploit http://www.exploit-db.com/exploits/18329

Vendor Advisory https://issues.apache.org/jira/browse/WW-3668

Broken Link https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vu...

Broken Link http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html

Vendor Advisory http://secunia.com/advisories/47393

Vendor Advisory http://struts.apache.org/2.x/docs/s2-008.html

Vendor Advisory http://struts.apache.org/2.x/docs/version-notes-2311.html

Exploit http://www.exploit-db.com/exploits/18329

Vendor Advisory https://issues.apache.org/jira/browse/WW-3668

Broken Link https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vu...

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2012-...

/ 100

critical-risk

Severity 32/34 · Critical

Exploitability 34/34 · Critical

Exposure 5/34 · Minimal