Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2012-0394Code Injection in Apache Struts

CWE-94Code Injection9 documents8 sources
Severity
6.8MEDIUMNVD
EPSS
92.6%
top 0.26%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Apache Struts
Timeline
PublishedJan 8
Latest updateMay 4

Description

The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not "a security vulnerability itself.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages1 packages

NVDapache/struts2.0.02.3.17

🔴Vulnerability Details

3
GHSA
Apache Struts's DebuggingInterceptor component allows remote code execution in developer mode2022-05-04
OSV
Apache Struts's DebuggingInterceptor component allows remote code execution in developer mode2022-05-04
CVEList
CVE-2012-0394: The DebuggingInterceptor component in Apache Struts before 22012-01-08

💥Exploits & PoCs

3
Exploit-DB
Apache Struts - Developer Mode OGNL Execution (Metasploit)2014-02-05
Exploit-DB
Apache Struts 2 < 2.3.1 - Multiple Vulnerabilities2012-01-06
Nuclei
Apache Struts <2.3.1.1 - Remote Code Execution

📋Vendor Advisories

1
Red Hat
struts2: remote execution of arbitrary commands when developer mode is used2011-12-25

💬Community

1
Bugzilla
CVE-2012-0394 struts2: remote execution of arbitrary commands when developer mode is used2012-01-11
CVE-2012-0394 — Code Injection in Apache Struts | cvebase