CVE-2012-0393 — Apache Struts's ParameterInterceptor component does not prevent access to public

Description

The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object.

How to fix CVE-2012-0393

To remediate CVE-2012-0393, upgrade the affected package to a fixed version below.

Maven/org.apache.struts:struts2-core—upgrade to 2.3.1.1 or later
Maven/org.apache.struts.xwork:xwork-core—upgrade to 2.2.3.1 or later

Is CVE-2012-0393 being exploited?

Likely — EPSS is 73.6%, placing CVE-2012-0393 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (2)

from 0, < 2.3.1.1
from 0, < 2.2.3.1

References (10)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2012-0393
PATCHgithub.com/apache/struts
WEBarchives.neohapsis.com/archives/bugtraq/2012-01/0031.html
WEBgithub.com/apache/struts/commit/25e50069d60434a30395e3a98357ffba2bed427e