CVE-2012-0838

Description

Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field.

How to fix CVE-2012-0838

To remediate CVE-2012-0838, upgrade the affected package to a fixed version below.

• Maven/org.apache.struts:struts2-core—upgrade to 2.2.3.1 or later
• Maven/org.apache.struts.xwork:xwork-core—upgrade to 2.2.3.1 or later

Is CVE-2012-0838 being exploited?

Moderate — EPSS is 11.1%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (2)

• from 0, < 2.2.3.1
• from 0, < 2.2.3.1

References (9)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2012-0838
• PATCHgithub.com/apache/struts
• WEBjvndb.jvn.jp/jvndb/JVNDB-2012-000012
• WEBjvn.jp/en/jp/JVN79099262/index.html
• WEBgithub.com