CVE-2012-0838 — Improper Input Validation in Apache Struts

CWE-20 — Improper Input Validation6 documents6 sources

Severity

10.0CRITICALNVD

EPSS

11.1%

top 6.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Struts

Timeline

PublishedMar 2

Latest updateMay 14

Description

Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field.

CVSS vector

AV:N/AC:L/C:C/I:C/A:CExploitability: 10.0 | Impact: 10.0

Affected Packages1 packages

▶NVDapache/struts2.0.0 — 2.2.3

🔴Vulnerability Details

GHSA

Apache Struts Code injection due to conversion error↗2022-05-14

▶

OSV

Apache Struts Code injection due to conversion error↗2022-05-14

▶

CVEList

CVE-2012-0838: Apache Struts 2 before 2↗2012-03-02

▶

📋Vendor Advisories

Red Hat

Struts2: Certain strings evaluated as OGNL expressions, leading to run-time data modification or arbitrary code execution↗2011-08-05

▶

💬Community

Bugzilla

CVE-2012-0838 Struts2: Certain strings evaluated as OGNL expressions, leading to run-time data modification or arbitrary code execution↗2012-03-05

▶