Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2012-0393 — Apache Struts vulnerability

CWE-2647 documents7 sources

Severity

6.4MEDIUMNVD

EPSS

58.5%

top 1.79%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Apache Struts

Timeline

PublishedJan 8

Latest updateMay 4

Description

The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object.

CVSS vector

AV:N/AC:L/C:N/I:P/A:PExploitability: 10.0 | Impact: 4.9

Affected Packages1 packages

▶NVDapache/struts2.1.0 — 2.3.1.1

🔴Vulnerability Details

GHSA

Apache Struts's ParameterInterceptor component does not prevent access to public constructors↗2022-05-04

▶

OSV

Apache Struts's ParameterInterceptor component does not prevent access to public constructors↗2022-05-04

▶

CVEList

CVE-2012-0393: The ParameterInterceptor component in Apache Struts before 2↗2012-01-08

▶

💥Exploits & PoCs

Exploit-DB

Apache Struts 2 < 2.3.1 - Multiple Vulnerabilities↗2012-01-06

▶

📋Vendor Advisories

Red Hat

struts: remote creation or overwrite of arbitrary files due ParamterInterceptor not preventing access to public constructors↗2011-12-25

▶

💬Community

Bugzilla

CVE-2012-0393 struts: remote creation or overwrite of arbitrary files due ParamterInterceptor not preventing access to public constructors↗2012-01-11

▶