⚠ Actively exploited
Added to CISA KEV on 2022-01-21. Federal agencies required to patch by 2022-07-21. Required action: Apply updates per vendor instructions..

CVE-2012-0391Improper Input Validation in Apache Struts

CWE-20Improper Input ValidationCWE-94Code Injection10 documents9 sources
Severity
9.8CRITICALNVD
EPSS
88.3%
top 0.50%
CISA KEV
KEV
Added 2022-01-21
Due 2022-07-21
Exploit
Exploited in wild
Active exploitation observed
Affected products
1
Apache Struts
Timeline
PublishedJan 8
KEV addedJan 21
Latest updateMay 4
KEV dueJul 21
CISA Required Action: Apply updates per vendor instructions.

Description

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

NVDapache/struts< 2.2.3.1

🔴Vulnerability Details

4
OSV
Apache Struts Remote Java Code Execution2022-05-04
GHSA
Apache Struts Remote Java Code Execution2022-05-04
CVEList
CVE-2012-0391: The ExceptionDelegator component in Apache Struts before 22012-01-08
VulnCheck
Apache Struts 2 Improper Input Validation Vulnerability2012

💥Exploits & PoCs

2
Exploit-DB
Apache Struts 2.2.1.1 - Remote Command Execution (Metasploit)2012-06-05
Exploit-DB
Apache Struts 2 < 2.3.1 - Multiple Vulnerabilities2012-01-06

📋Vendor Advisories

2
CISA
Apache Struts 2 Improper Input Validation Vulnerability2022-01-21
Red Hat
struts: User input is evaluated as an OGNL expression when there's a conversion error2011-08-05

💬Community

1
Bugzilla
CVE-2012-0391 struts: User input is evaluated as an OGNL expression when there's a conversion error2012-01-11
CVE-2012-0391 — Improper Input Validation in Apache | cvebase