Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2012-0391

Overview

Vulnerability Score 9.3 9.3
CVE Id CVE-2012-0391
Last Modified 10 Jan 2012 12:00:00
Published 08 Jan 2012 10:55:01
Confidentiality Impact COMPLETE COMPLETE
Integrity Impact COMPLETE COMPLETE
Availability Impact COMPLETE COMPLETE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2012-0391

Summary

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.

Vulnerable Systems

Application

  • Apache Struts 2.0.0

  • Apache Struts 2.0.1

  • Apache Struts 2.0.10

  • Apache Struts 2.0.11

  • Apache Struts 2.0.11.1

  • Apache Struts 2.0.11.2

  • Apache Struts 2.0.12

  • Apache Struts 2.0.13

  • Apache Struts 2.0.14

  • Apache Struts 2.0.2

  • Apache Struts 2.0.3

  • Apache Struts 2.0.4

  • Apache Struts 2.0.5

  • Apache Struts 2.0.6

  • Apache Struts 2.0.7

  • Apache Struts 2.0.8

  • Apache Struts 2.0.9

  • Apache Struts 2.1.0

  • Apache Struts 2.1.1

  • Apache Struts 2.1.2

  • Apache Struts 2.1.3

  • Apache Struts 2.1.4

  • Apache Struts 2.1.5

  • Apache Struts 2.1.6

  • Apache Struts 2.1.8

  • Apache Struts 2.1.8.1

  • Apache Struts 2.2.1

  • Apache Struts 2.2.1.1

  • Apache Struts 2.2.3


References

MISC - https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt

CONFIRM - https://issues.apache.org/jira/browse/WW-3668

EXPLOIT-DB - 18329

CONFIRM - http://struts.apache.org/2.x/docs/version-notes-2311.html

CONFIRM - http://struts.apache.org/2.x/docs/s2-008.html

SECUNIA - 47393

BUGTRAQ - 20120105 SEC Consult SA-20120104-0 :: Multiple critical vulnerabilities in Apache Struts2


Last Updated: 27 May 2016 10:58:01