Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2011-3923

CWE-732Incorrect Permission AssignmentCWE-94Code Injection6 documents6 sources
Severity
9.8CRITICAL
EPSS
91.1%
top 0.36%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Apache StrutsRedhat Jboss Enterprise WEB Server
Timeline
PublishedNov 1
Latest updateApr 22

Description

Apache Struts before 2.3.1.2 allows remote attackers to bypass security protections in the ParameterInterceptor class and execute arbitrary commands.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

NVDapache/struts2.0.02.3.1.2
Mavenorg.apache.struts:struts2-core2.0.02.3.1.2
CVEListV5apache/struts2.3.1.2

🔴Vulnerability Details

3
OSV
Struts ParameterInterceptor vulnerability allows remote command execution2022-04-22
GHSA
Struts ParameterInterceptor vulnerability allows remote command execution2022-04-22
CVEList
CVE-2011-3923: Apache Struts before 22019-11-01

💥Exploits & PoCs

1
Exploit-DB
Apache Struts - 'ParametersInterceptor' Remote Code Execution (Metasploit)2013-03-22

💬Community

1
Bugzilla
CVE-2011-3923 struts2: Remote code execution via OGNL injention in HTTP parameter values2013-08-16