CVE-2012-0393
published 2012-01-08CVE-2012-0393: The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or…
PriorityP258medium6.4CVSS 2.0
AVNACLAuNCNIPAP
EXPLOIT
EPSS
38.26%
98.4th percentile
The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | struts | >= 2.1.0 < 2.3.1.1 | 2.3.1.1 |
Detection & IOCsextracted from sources · hover to see the quote
url/Test.action?id='%2b(new+java.io.BufferedWriter(new+java.io.FileWriter("C:/wwwroot/sec-consult.jsp")).append("jsp+shell").close())%2b'↗
url/Test.action?id='%2b(%23_memberAccess["allowStaticMethodAccess"]=true,@java.lang.Runtime@getRuntime().exec('calc'))%2b'↗
url/Test.action?debug=command&expression=%23_memberAccess["allowStaticMethodAccess"]=true,@java.lang.Runtime@getRuntime().exec('calc')↗
cookie(#_memberAccess["allowStaticMethodAccess"]\u003dtrue)(x)=1; x[@java.lang.Runtime@getRuntime().exec('calc')]=1↗
- →Detect OGNL injection attempts in HTTP parameter names or values containing '#_memberAccess["allowStaticMethodAccess"]' — a key bypass string used to enable static method access in XWork's SecurityMemberAccess. ↗
- →Detect HTTP requests to Struts action URLs containing 'debug=command&expression=' in the query string, which invokes the DebuggingInterceptor to evaluate arbitrary OGNL expressions. ↗
- →Detect Cookie headers containing OGNL expressions with '\u003d' (unicode-escaped '=') combined with '@java.lang.Runtime@getRuntime().exec', indicating exploitation via the CookieInterceptor. ↗
- →Detect parameter names or values containing 'new+java.io.FileWriter' or 'new+java.io.BufferedWriter' in HTTP requests to Struts action endpoints, indicating arbitrary file write exploitation via ParameterInterceptor. ↗
- ·The bypass requires that the application is running in developer mode OR that the CookieInterceptor/ParametersInterceptor is not restricted to the hardened acceptedParamNames pattern. Exploitation via the Cookie vector (vuln 2) and DebuggingInterceptor (vuln 3) requires developer mode to be enabled. ↗
CVSS provenance
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:P
vendor_redhat6.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Apache Struts's ParameterInterceptor component does not prevent access to public constructors
ghsa·2022-05-04
CVE-2012-0393 [MEDIUM] Apache Struts's ParameterInterceptor component does not prevent access to public constructors
Apache Struts's ParameterInterceptor component does not prevent access to public constructors
The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object.
OSV
Apache Struts's ParameterInterceptor component does not prevent access to public constructors
osv·2022-05-04
CVE-2012-0393 [MEDIUM] Apache Struts's ParameterInterceptor component does not prevent access to public constructors
Apache Struts's ParameterInterceptor component does not prevent access to public constructors
The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object.
Red Hat
struts: remote creation or overwrite of arbitrary files due ParamterInterceptor not preventing access to public constructors
vendor_redhat·2011-12-25·CVSS 6.4
CVE-2012-0393 [MEDIUM] struts: remote creation or overwrite of arbitrary files due ParamterInterceptor not preventing access to public constructors
struts: remote creation or overwrite of arbitrary files due ParamterInterceptor not preventing access to public constructors
The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object.
Statement: A previous statement by Red Hat related to this CVE, prior to August 2019, said that Apache Struts 2 is not included in any Red Hat products. This earlier statement was incorrect. While Struts 2 is not actively compiled, shipped, used, or enabled in any Red Hat provided final products, and does not cause any vulnerability in the product, struts2-core jars have been included in some products' source code pa
No detection rules found.
http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.htmlhttp://secunia.com/advisories/47393http://struts.apache.org/2.x/docs/s2-008.htmlhttp://struts.apache.org/2.x/docs/version-notes-2311.htmlhttp://www.exploit-db.com/exploits/18329https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txthttp://archives.neohapsis.com/archives/bugtraq/2012-01/0031.htmlhttp://secunia.com/advisories/47393http://struts.apache.org/2.x/docs/s2-008.htmlhttp://struts.apache.org/2.x/docs/version-notes-2311.htmlhttp://www.exploit-db.com/exploits/18329https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt
2012-01-08
Published