CVE-2012-0394
published 2012-01-08CVE-2012-0394: The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via…
PriorityP264medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
74.41%
99.4th percentile
The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not "a security vulnerability itself.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | struts | 2.0.0 – 2.3.17 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/Test.action?debug=command&expression=%23_memberAccess["allowStaticMethodAccess"]=true,@java.lang.Runtime@getRuntime().exec('calc')↗
url/Test.action?id='%2b(%23_memberAccess["allowStaticMethodAccess"]=true,@java.lang.Runtime@getRuntime().exec('calc'))%2b'↗
cookie(#_memberAccess["allowStaticMethodAccess"]\u003dtrue)(x)=1; x[@java.lang.Runtime@getRuntime().exec('calc')]=1↗
- →Detect exploitation attempts by monitoring HTTP GET requests containing both 'debug=command' and 'expression=' query parameters targeting Struts action endpoints ↗
- →Detect OGNL injection via Cookie header containing '#_memberAccess' and '\u003d' (unicode-encoded '=') patterns targeting Struts action endpoints ↗
- →Shodan/FOFA fingerprinting: identify exposed Struts instances via HTML body containing 'Struts Problem Report' or page title 'struts2 showcase' ↗
- →Verify vulnerability by sending arithmetic OGNL expression (e.g., integer addition) via debug=command&expression= and checking if the numeric result appears in the HTTP 200 response body ↗
- →Monitor for upload of randomly-named .jar files to the web application working directory as part of multi-stage payload delivery via OGNL FileOutputStream write ↗
- →Flag HTTP parameters containing '#_memberAccess["allowStaticMethodAccess"]' as this is the key bypass technique used to enable static method access for OS command execution ↗
- ·Vulnerability only triggers when the application is running in developer mode (devMode=true); production deployments with developer mode disabled are not affected by this specific attack vector ↗
- ·The vendor disputes this as a standalone security vulnerability, characterizing developer mode as an inherently unsafe configuration not intended for production ↗
- ·The Metasploit module default target URI may need to be adjusted; the default path '/struts2-blank/example/HelloWorld.action' is application-specific and may differ across deployments ↗
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vendor_redhat6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Apache Struts's DebuggingInterceptor component allows remote code execution in developer mode
ghsa·2022-05-04
CVE-2012-0394 [MEDIUM] CWE-94 Apache Struts's DebuggingInterceptor component allows remote code execution in developer mode
Apache Struts's DebuggingInterceptor component allows remote code execution in developer mode
The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not "a security vulnerability itself."
OSV
Apache Struts's DebuggingInterceptor component allows remote code execution in developer mode
osv·2022-05-04
CVE-2012-0394 [MEDIUM] Apache Struts's DebuggingInterceptor component allows remote code execution in developer mode
Apache Struts's DebuggingInterceptor component allows remote code execution in developer mode
The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not "a security vulnerability itself."
Red Hat
struts2: remote execution of arbitrary commands when developer mode is used
vendor_redhat·2011-12-25·CVSS 6.8
CVE-2012-0394 [MEDIUM] struts2: remote execution of arbitrary commands when developer mode is used
struts2: remote execution of arbitrary commands when developer mode is used
The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not "a security vulnerability itself.
Statement: A previous statement by Red Hat related to this CVE, prior to August 2019, said that Apache Struts 2 is not included in any Red Hat products. This earlier statement was incorrect. While Struts 2 is not actively compiled, shipped, used, or enabled in any Red Hat provided final products, and does not cause any vulnerability in the product, struts2-core jars have been included in some products' source code packages. The inclusion was part of an imp
No detection rules found.
Exploit-DB
Apache Struts - Developer Mode OGNL Execution (Metasploit)
exploitdb·2014-02-05
CVE-2012-0394 Apache Struts - Developer Mode OGNL Execution (Metasploit)
Apache Struts - Developer Mode OGNL Execution (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'Apache Struts Developer Mode OGNL Execution',
'Description' => %q{
This module exploits a remote command execution vulnerability in Apache
Struts 2. The problem exists on applications running in developer mode,
where the DebuggingInterceptor allows evaluation and execution of OGNL
expressions, which allows remote attackers to execute arbitrary Java
code. This module has been tested successfully in Struts 2.3.16, Tomcat
7 and Ubuntu 10.04.
},
'Author' =>
[
'Johannes Dahse', # Vulnerability discovery and PoC
'Andreas Nusser', # Vulnerability discovery and
Exploit-DB
Apache Struts 2 < 2.3.1 - Multiple Vulnerabilities
exploitdb·2012-01-06
CVE-2012-0394 Apache Struts 2 < 2.3.1 - Multiple Vulnerabilities
Apache Struts 2
title: Multiple critical vulnerabilities in Apache Struts2
product: Apache Struts2
* OpenSymphony XWork
* OpenSymphony OGNL
vulnerable version: 2.3.1 and below
fixed version: 2.3.1.1
impact: critical
homepage: http://struts.apache.org/
found: 2011-11-18
by: Johannes Dahse, Andreas Nusser
SEC Consult Vulnerability Lab
https://www.sec-consult.com
Vendor description:
Apache Struts2 is a web framework for creating Java web applications. It is
using the OpenSymphony XWork and OGNL libraries. By default, XWork's
ParametersInterceptor treats parameter names provided to actions as OGNL
expressions. A OGNL (Object Graph Navigation Language) expression is a limited
language similar to Java that is tokenized and parsed by the OGNL parser which
invokes appropiate Java methods. This al
Metasploit
Apache Struts 2 Developer Mode OGNL Execution
metasploit
Apache Struts 2 Developer Mode OGNL Execution
Apache Struts 2 Developer Mode OGNL Execution
This module exploits a remote command execution vulnerability in Apache Struts 2. The problem exists on applications running in developer mode, where the DebuggingInterceptor allows evaluation and execution of OGNL expressions, which allows remote attackers to execute arbitrary Java code. This module has been tested successfully on Struts 2.3.16, Tomcat 7 and Ubuntu 10.04.
Nuclei
Apache Struts <2.3.1.1 - Remote Code Execution
nuclei·CVSS 6.8
CVE-2012-0394 [MEDIUM] Apache Struts <2.3.1.1 - Remote Code Execution
Apache Struts <2.3.1.1 - Remote Code Execution
Apache Struts before 2.3.1.1 is susceptible to remote code execution. When developer mode is used in the DebuggingInterceptor component, a remote attacker can execute arbitrary OGNL commands via unspecified vectors, which can allow for execution of malware, obtaining sensitive information, modifying data, and/or gaining full control over a compromised system without entering necessary credentials.. NOTE: the vendor characterizes this behavior as not "a security vulnerability itself."
Template:
id: CVE-2012-0394
info:
name: Apache Struts <2.3.1.1 - Remote Code Execution
author: tess
severity: medium
description: |
Apache Struts before 2.3.1.1 is susceptible to remote code execution. When developer mode is used in the DebuggingInterceptor co
Bugzilla
CVE-2012-0394 struts2: remote execution of arbitrary commands when developer mode is used
bugzilla·2012-01-11·CVSS 6.8
CVE-2012-0394 [MEDIUM] CVE-2012-0394 struts2: remote execution of arbitrary commands when developer mode is used
CVE-2012-0394 struts2: remote execution of arbitrary commands when developer mode is used
Common Vulnerabilities and Exposures assigned an identifier CVE-2012-0394 to
the following vulnerability:
Name: CVE-2012-0394
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0394
Assigned: 20120108
Reference: http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html
Reference: http://www.exploit-db.com/exploits/18329
Reference: http://struts.apache.org/2.x/docs/s2-008.html
Reference: http://struts.apache.org/2.x/docs/version-notes-2311.html
Reference: https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt
** DISPUTED ** The DebuggingInterceptor component in Apache Struts
before 2.3.1.1, when developer mode is used, allows remote attacker
Greynoiseio
NoiseLetter September 2024
blogs_greynoiseio
NoiseLetter September 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.htmlhttp://struts.apache.org/2.x/docs/s2-008.htmlhttp://struts.apache.org/2.x/docs/version-notes-2311.htmlhttp://www.exploit-db.com/exploits/18329http://www.exploit-db.com/exploits/31434http://www.osvdb.org/78276https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txthttp://archives.neohapsis.com/archives/bugtraq/2012-01/0031.htmlhttp://struts.apache.org/2.x/docs/s2-008.htmlhttp://struts.apache.org/2.x/docs/version-notes-2311.htmlhttp://www.exploit-db.com/exploits/18329http://www.exploit-db.com/exploits/31434http://www.osvdb.org/78276https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt
2012-01-08
Published