⚠ Exploited in the wild
Exploitation observed in the wild. Not yet on CISA KEV.

CVE-2017-12611

CWE-20Improper Input Validation13 documents12 sources
Severity
9.8CRITICAL
EPSS
94.2%
top 0.07%
CISA KEV
Not in KEV
Exploit
Exploited in wild
Active exploitation observed
Affected products
2
Apache Software Foundation Apache StrutsApache Struts
Timeline
PublishedSep 20
Latest updateOct 16

Description

In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

Mavenorg.apache.struts:struts2-core2.0.12.3.34+1
NVDapache/struts87 versions+86
CVEListV5apache_software_foundation/apache_struts2.0.0 - 2.3.33, 2.5 - 2.5.10.1+1

Patches

Patch: www.oracle.comPatch: kb.netapp.comPatch: www.oracle.com

🔴Vulnerability Details

4
GHSA
Apache Struts 2.0.1 uses an unintentional expression in a Freemarker tag instead of string literal2018-10-16
OSV
Apache Struts 2.0.1 uses an unintentional expression in a Freemarker tag instead of string literal2018-10-16
CVEList
CVE-2017-12611: In Apache Struts 22017-09-20
VulnCheck
Apache Struts Improper Input Validation2017

💥Exploits & PoCs

2
Exploit-DB
Apache Struts 2.0.1 < 2.3.33 / 2.5 < 2.5.10 - Arbitrary Code Execution2017-09-08
Nuclei
Apache Struts2 S2-053 - Remote Code Execution

🔍Detection Rules

2
Suricata
ET EXPLOIT Likely Struts S2-053-CVE-2017-12611 Exploit Attempt M12017-10-06
Suricata
ET EXPLOIT Likely Struts S2-053-CVE-2017-12611 Exploit Attempt M22017-10-06

📋Vendor Advisories

2
Cisco
Apache Struts 2 Remote Code Execution Vulnerability Affecting Multiple Cisco Products: September 20172017-09-09
Red Hat
struts: RCE attack when using an unintentional expression in Freemarker tag instead of string literals2017-09-07

💬Community

1
Bugzilla
CVE-2017-12611 struts: RCE attack when using an unintentional expression in Freemarker tag instead of string literals2017-09-07
CVE-2017-12611 (CRITICAL CVSS 9.8) | In Apache Struts 2.0.0 through 2.3. | cvebase.io