cbcvebase.
CVE-2012-0394
published 2012-01-08

CVE-2012-0394: The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via…

PriorityP264medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
74.41%
99.4th percentile
The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not "a security vulnerability itself.

Affected

1 ranges
VendorProductVersion rangeFixed in
apachestruts2.0.0 – 2.3.17

Detection & IOCsextracted from sources · hover to see the quote

url/Test.action?debug=command&expression=%23_memberAccess["allowStaticMethodAccess"]=true,@java.lang.Runtime@getRuntime().exec('calc')
url/Test.action?id='%2b(%23_memberAccess["allowStaticMethodAccess"]=true,@java.lang.Runtime@getRuntime().exec('calc'))%2b'
cookie(#_memberAccess["allowStaticMethodAccess"]\u003dtrue)(x)=1; x[@java.lang.Runtime@getRuntime().exec('calc')]=1
path{{BaseURL}}/portal/displayAPSForm.action?debug=command&expression={{first}}*{{second}}
path/struts2-blank/example/HelloWorld.action
  • Detect exploitation attempts by monitoring HTTP GET requests containing both 'debug=command' and 'expression=' query parameters targeting Struts action endpoints
  • Detect OGNL injection via Cookie header containing '#_memberAccess' and '\u003d' (unicode-encoded '=') patterns targeting Struts action endpoints
  • Shodan/FOFA fingerprinting: identify exposed Struts instances via HTML body containing 'Struts Problem Report' or page title 'struts2 showcase'
  • Verify vulnerability by sending arithmetic OGNL expression (e.g., integer addition) via debug=command&expression= and checking if the numeric result appears in the HTTP 200 response body
  • Monitor for upload of randomly-named .jar files to the web application working directory as part of multi-stage payload delivery via OGNL FileOutputStream write
  • Flag HTTP parameters containing '#_memberAccess["allowStaticMethodAccess"]' as this is the key bypass technique used to enable static method access for OS command execution
  • ·Vulnerability only triggers when the application is running in developer mode (devMode=true); production deployments with developer mode disabled are not affected by this specific attack vector
  • ·The vendor disputes this as a standalone security vulnerability, characterizing developer mode as an inherently unsafe configuration not intended for production
  • ·The Metasploit module default target URI may need to be adjusted; the default path '/struts2-blank/example/HelloWorld.action' is application-specific and may differ across deployments

CVSS provenance

nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vendor_redhat6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.