gsd-2012-0391
Vulnerability from gsd
Modified
2023-12-13 01:20
Details
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2012-0391",
"description": "The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.",
"id": "GSD-2012-0391",
"references": [
"https://www.suse.com/security/cve/CVE-2012-0391.html",
"https://packetstormsecurity.com/files/cve/CVE-2012-0391"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2012-0391"
],
"details": "The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.",
"id": "GSD-2012-0391",
"modified": "2023-12-13T01:20:13.465810Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cisa.gov": {
"cveID": "CVE-2012-0391",
"dateAdded": "2022-01-21",
"dueDate": "2022-07-21",
"product": "Struts 2",
"requiredAction": "Apply updates per vendor instructions.",
"shortDescription": "The ExceptionDelegator component in Apache Struts 2 before 2.2.3.1 contains an improper input validation vulnerability which allows for remote code execution.",
"vendorProject": "Apache",
"vulnerabilityName": "Apache Struts 2 Improper Input Validation Vulnerability"
},
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-0391",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "18329",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/18329"
},
{
"name": "20120105 SEC Consult SA-20120104-0 :: Multiple critical vulnerabilities in Apache Struts2",
"refsource": "BUGTRAQ",
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html"
},
{
"name": "http://struts.apache.org/2.x/docs/version-notes-2311.html",
"refsource": "CONFIRM",
"url": "http://struts.apache.org/2.x/docs/version-notes-2311.html"
},
{
"name": "http://struts.apache.org/2.x/docs/s2-008.html",
"refsource": "CONFIRM",
"url": "http://struts.apache.org/2.x/docs/s2-008.html"
},
{
"name": "https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt",
"refsource": "MISC",
"url": "https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt"
},
{
"name": "https://issues.apache.org/jira/browse/WW-3668",
"refsource": "CONFIRM",
"url": "https://issues.apache.org/jira/browse/WW-3668"
},
{
"name": "47393",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/47393"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:struts:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2.2.3.1",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-0391"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "47393",
"refsource": "SECUNIA",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/47393"
},
{
"name": "http://struts.apache.org/2.x/docs/version-notes-2311.html",
"refsource": "CONFIRM",
"tags": [
"Vendor Advisory"
],
"url": "http://struts.apache.org/2.x/docs/version-notes-2311.html"
},
{
"name": "https://issues.apache.org/jira/browse/WW-3668",
"refsource": "CONFIRM",
"tags": [
"Vendor Advisory"
],
"url": "https://issues.apache.org/jira/browse/WW-3668"
},
{
"name": "http://struts.apache.org/2.x/docs/s2-008.html",
"refsource": "CONFIRM",
"tags": [
"Vendor Advisory"
],
"url": "http://struts.apache.org/2.x/docs/s2-008.html"
},
{
"name": "20120105 SEC Consult SA-20120104-0 :: Multiple critical vulnerabilities in Apache Struts2",
"refsource": "BUGTRAQ",
"tags": [
"Exploit"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html"
},
{
"name": "https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt",
"refsource": "MISC",
"tags": [
"Exploit"
],
"url": "https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt"
},
{
"name": "18329",
"refsource": "EXPLOIT-DB",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/18329"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2018-11-23T14:36Z",
"publishedDate": "2012-01-08T15:55Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…