CVE-2012-0838
published 2012-03-02CVE-2012-0838: Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify…
PriorityP354critical10CVSS 2.0
AVNACLAuNCCICAC
EPSS
14.03%
96.1th percentile
Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | struts | 2.0.0 – 2.2.3 | — |
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat10.0CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Apache Struts Code injection due to conversion error
ghsa·2022-05-14
CVE-2012-0838 [HIGH] CWE-20 Apache Struts Code injection due to conversion error
Apache Struts Code injection due to conversion error
Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field.
OSV
Apache Struts Code injection due to conversion error
osv·2022-05-14
CVE-2012-0838 [HIGH] Apache Struts Code injection due to conversion error
Apache Struts Code injection due to conversion error
Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field.
Red Hat
Struts2: Certain strings evaluated as OGNL expressions, leading to run-time data modification or arbitrary code execution
vendor_redhat·2011-08-05·CVSS 10.0
CVE-2012-0838 [CRITICAL] Struts2: Certain strings evaluated as OGNL expressions, leading to run-time data modification or arbitrary code execution
Struts2: Certain strings evaluated as OGNL expressions, leading to run-time data modification or arbitrary code execution
Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field.
Statement: A previous statement by Red Hat related to this CVE, prior to August 2019, said that Apache Struts 2 is not included in any Red Hat products. This earlier statement was incorrect. While Struts 2 is not actively compiled, shipped, used, or enabled in any Red Hat provided final products, and does not cause any vulnerability in the product, struts2-core jars have been included in some products' source code packages.
No detection rules found.
No public exploits indexed.
http://jvn.jp/en/jp/JVN79099262/index.htmlhttp://jvndb.jvn.jp/jvndb/JVNDB-2012-000012http://struts.apache.org/2.3.1.2/docs/s2-007.htmlhttps://issues.apache.org/jira/browse/WW-3668http://jvn.jp/en/jp/JVN79099262/index.htmlhttp://jvndb.jvn.jp/jvndb/JVNDB-2012-000012http://struts.apache.org/2.3.1.2/docs/s2-007.htmlhttps://issues.apache.org/jira/browse/WW-3668
2012-03-02
Published