CVE-2012-0391 — Apache Struts Remote Java Code Execution

Description

The `ExceptionDelegator` component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.

How to fix CVE-2012-0391

To remediate CVE-2012-0391, upgrade the affected package to a fixed version below.

—upgrade to 2.2.3.1 or later
—upgrade to 2.2.3.1 or later

Is CVE-2012-0391 being exploited?

Yes — CVE-2012-0391 is on the CISA Known Exploited Vulnerabilities (KEV) catalog. Patch immediately.

Affected packages (2)

from 0, < 2.2.3.1
from 0, < 2.2.3.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (13)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2012-0391
PATCHgithub.com/apache/struts
WEBarchives.neohapsis.com/archives/bugtraq/2012-01/0031.html
WEBsecunia.com/advisories/47393
WEB