cve-2012-0391
Vulnerability from cvelistv5
Published
2012-01-08 15:00
Modified
2024-09-16 17:07
Severity ?
Summary
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.
References
cve@mitre.orghttp://archives.neohapsis.com/archives/bugtraq/2012-01/0031.htmlExploit
cve@mitre.orghttp://secunia.com/advisories/47393Vendor Advisory
cve@mitre.orghttp://struts.apache.org/2.x/docs/s2-008.htmlVendor Advisory
cve@mitre.orghttp://struts.apache.org/2.x/docs/version-notes-2311.htmlVendor Advisory
cve@mitre.orghttp://www.exploit-db.com/exploits/18329Exploit
cve@mitre.orghttps://issues.apache.org/jira/browse/WW-3668Vendor Advisory
cve@mitre.orghttps://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txtExploit
af854a3a-2127-422b-91ae-364da2661108http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.htmlExploit
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/47393Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://struts.apache.org/2.x/docs/s2-008.htmlVendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://struts.apache.org/2.x/docs/version-notes-2311.htmlVendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.exploit-db.com/exploits/18329Exploit
af854a3a-2127-422b-91ae-364da2661108https://issues.apache.org/jira/browse/WW-3668Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txtExploit
Impacted products
Vendor Product Version
CISA Known exploited vulnerability
Data from the Known Exploited Vulnerabilities Catalog

Date added: 2022-01-21

Due date: 2022-07-21

Required action: Apply updates per vendor instructions.

Used in ransomware: Unknown

Notes: https://nvd.nist.gov/vuln/detail/CVE-2012-0391

Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T18:23:31.000Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "18329",
            "tags": [
              "exploit",
              "x_refsource_EXPLOIT-DB",
              "x_transferred"
            ],
            "url": "http://www.exploit-db.com/exploits/18329"
          },
          {
            "name": "20120105 SEC Consult SA-20120104-0 :: Multiple critical vulnerabilities in Apache Struts2",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://struts.apache.org/2.x/docs/version-notes-2311.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://struts.apache.org/2.x/docs/s2-008.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://issues.apache.org/jira/browse/WW-3668"
          },
          {
            "name": "47393",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/47393"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2012-01-08T15:00:00Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "18329",
          "tags": [
            "exploit",
            "x_refsource_EXPLOIT-DB"
          ],
          "url": "http://www.exploit-db.com/exploits/18329"
        },
        {
          "name": "20120105 SEC Consult SA-20120104-0 :: Multiple critical vulnerabilities in Apache Struts2",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://struts.apache.org/2.x/docs/version-notes-2311.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://struts.apache.org/2.x/docs/s2-008.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://issues.apache.org/jira/browse/WW-3668"
        },
        {
          "name": "47393",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/47393"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2012-0391",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "18329",
              "refsource": "EXPLOIT-DB",
              "url": "http://www.exploit-db.com/exploits/18329"
            },
            {
              "name": "20120105 SEC Consult SA-20120104-0 :: Multiple critical vulnerabilities in Apache Struts2",
              "refsource": "BUGTRAQ",
              "url": "http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html"
            },
            {
              "name": "http://struts.apache.org/2.x/docs/version-notes-2311.html",
              "refsource": "CONFIRM",
              "url": "http://struts.apache.org/2.x/docs/version-notes-2311.html"
            },
            {
              "name": "http://struts.apache.org/2.x/docs/s2-008.html",
              "refsource": "CONFIRM",
              "url": "http://struts.apache.org/2.x/docs/s2-008.html"
            },
            {
              "name": "https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt",
              "refsource": "MISC",
              "url": "https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt"
            },
            {
              "name": "https://issues.apache.org/jira/browse/WW-3668",
              "refsource": "CONFIRM",
              "url": "https://issues.apache.org/jira/browse/WW-3668"
            },
            {
              "name": "47393",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/47393"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2012-0391",
    "datePublished": "2012-01-08T15:00:00Z",
    "dateReserved": "2012-01-08T00:00:00Z",
    "dateUpdated": "2024-09-16T17:07:51.825Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "cisa_known_exploited": {
      "cveID": "CVE-2012-0391",
      "cwes": "[\"CWE-20\"]",
      "dateAdded": "2022-01-21",
      "dueDate": "2022-07-21",
      "knownRansomwareCampaignUse": "Unknown",
      "notes": "https://nvd.nist.gov/vuln/detail/CVE-2012-0391",
      "product": "Struts 2",
      "requiredAction": "Apply updates per vendor instructions.",
      "shortDescription": "The ExceptionDelegator component in Apache Struts 2 before 2.2.3.1 contains an improper input validation vulnerability that allows for remote code execution.",
      "vendorProject": "Apache",
      "vulnerabilityName": "Apache Struts 2 Improper Input Validation Vulnerability"
    },
    "fkie_nvd": {
      "cisaActionDue": "2022-07-21",
      "cisaExploitAdd": "2022-01-21",
      "cisaRequiredAction": "Apply updates per vendor instructions.",
      "cisaVulnerabilityName": "Apache Struts 2 Improper Input Validation Vulnerability",
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2.0.0\", \"versionEndExcluding\": \"2.2.3.1\", \"matchCriteriaId\": \"03A3B36D-229B-41BB-B201-CEB4464511EE\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.\"}, {\"lang\": \"es\", \"value\": \"El componente ExceptionDelegator en Apache Struts antes de v2.2.3.1 interpreta los valores de los par\\u00e1metros como expresiones OGNL durante el manejo de determinadas excepciones en tipos de datos de propiedades no coincidentes, lo que permite a atacantes remotos ejecutar c\\u00f3digo Java a trav\\u00e9s de un par\\u00e1metro especificamente modificado para tal fin.\"}]",
      "id": "CVE-2012-0391",
      "lastModified": "2024-12-19T20:11:52.633",
      "metrics": "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:C/I:C/A:C\", \"baseScore\": 9.3, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"COMPLETE\", \"integrityImpact\": \"COMPLETE\", \"availabilityImpact\": \"COMPLETE\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 8.6, \"impactScore\": 10.0, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2012-01-08T15:55:01.217",
      "references": "[{\"url\": \"http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Exploit\"]}, {\"url\": \"http://secunia.com/advisories/47393\", \"source\": \"cve@mitre.org\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://struts.apache.org/2.x/docs/s2-008.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://struts.apache.org/2.x/docs/version-notes-2311.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.exploit-db.com/exploits/18329\", \"source\": \"cve@mitre.org\", \"tags\": [\"Exploit\"]}, {\"url\": \"https://issues.apache.org/jira/browse/WW-3668\", \"source\": \"cve@mitre.org\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt\", \"source\": \"cve@mitre.org\", \"tags\": [\"Exploit\"]}, {\"url\": \"http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\"]}, {\"url\": \"http://secunia.com/advisories/47393\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://struts.apache.org/2.x/docs/s2-008.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://struts.apache.org/2.x/docs/version-notes-2311.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.exploit-db.com/exploits/18329\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\"]}, {\"url\": \"https://issues.apache.org/jira/browse/WW-3668\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\"]}]",
      "sourceIdentifier": "cve@mitre.org",
      "vulnStatus": "Analyzed",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-20\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2012-0391\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2012-01-08T15:55:01.217\",\"lastModified\":\"2024-12-19T20:11:52.633\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.\"},{\"lang\":\"es\",\"value\":\"El componente ExceptionDelegator en Apache Struts antes de v2.2.3.1 interpreta los valores de los par\u00e1metros como expresiones OGNL durante el manejo de determinadas excepciones en tipos de datos de propiedades no coincidentes, lo que permite a atacantes remotos ejecutar c\u00f3digo Java a trav\u00e9s de un par\u00e1metro especificamente modificado para tal fin.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:C/I:C/A:C\",\"baseScore\":9.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":8.6,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"cisaExploitAdd\":\"2022-01-21\",\"cisaActionDue\":\"2022-07-21\",\"cisaRequiredAction\":\"Apply updates per vendor instructions.\",\"cisaVulnerabilityName\":\"Apache Struts 2 Improper Input Validation Vulnerability\",\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.0.0\",\"versionEndExcluding\":\"2.2.3.1\",\"matchCriteriaId\":\"03A3B36D-229B-41BB-B201-CEB4464511EE\"}]}]}],\"references\":[{\"url\":\"http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\"]},{\"url\":\"http://secunia.com/advisories/47393\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://struts.apache.org/2.x/docs/s2-008.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://struts.apache.org/2.x/docs/version-notes-2311.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.exploit-db.com/exploits/18329\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\"]},{\"url\":\"https://issues.apache.org/jira/browse/WW-3668\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\"]},{\"url\":\"http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\"]},{\"url\":\"http://secunia.com/advisories/47393\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://struts.apache.org/2.x/docs/s2-008.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://struts.apache.org/2.x/docs/version-notes-2311.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.exploit-db.com/exploits/18329\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\"]},{\"url\":\"https://issues.apache.org/jira/browse/WW-3668\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.