Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00d3JyLTloNXItbTkyd83e2w
Apache Struts Remote Java Code Execution
The ExceptionDelegator
component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00d3JyLTloNXItbTkyd83e2w
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: 4 months ago
Identifiers: GHSA-4wrr-9h5r-m92w, CVE-2012-0391
References:
- https://nvd.nist.gov/vuln/detail/CVE-2012-0391
- https://issues.apache.org/jira/browse/WW-3668
- https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt
- http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html
- http://struts.apache.org/2.x/docs/s2-008.html
- http://struts.apache.org/2.x/docs/version-notes-2311.html
- http://www.exploit-db.com/exploits/18329
- https://github.com/apache/struts/commit/25e50069d60434a30395e3a98357ffba2bed427e
- https://github.com/apache/struts/commit/5f54b8d087f5125d96838aafa5f64c2190e6885b
- https://github.com/apache/struts/commit/b4265d369dc29d57a9f2846a85b26598e83f3892
- https://github.com/advisories/GHSA-4wrr-9h5r-m92w
Blast Radius: 0.0
Affected Packages
maven:org.apache.struts.xwork:xwork-core
Dependent packages: 59Dependent repositories: 484
Downloads:
Affected Version Ranges: < 2.2.3.1
Fixed in: 2.2.3.1
All affected versions:
All unaffected versions: 2.2.1, 2.2.3, 2.3.1, 2.3.3, 2.3.4, 2.3.7, 2.3.8, 2.3.12, 2.3.14, 2.3.15, 2.3.16, 2.3.20, 2.3.24, 2.3.28, 2.3.29, 2.3.30, 2.3.31, 2.3.32, 2.3.33, 2.3.34, 2.3.35, 2.3.36, 2.3.37
maven:org.apache.struts:struts2-core
Dependent packages: 194Dependent repositories: 6,183
Downloads:
Affected Version Ranges: < 2.2.3.1
Fixed in: 2.2.3.1
All affected versions:
All unaffected versions: 2.0.5, 2.0.6, 2.0.8, 2.0.9, 2.0.11, 2.0.12, 2.0.14, 2.1.2, 2.1.6, 2.1.8, 2.2.1, 2.2.3, 2.3.1, 2.3.3, 2.3.4, 2.3.7, 2.3.8, 2.3.12, 2.3.14, 2.3.15, 2.3.16, 2.3.20, 2.3.24, 2.3.28, 2.3.29, 2.3.30, 2.3.31, 2.3.32, 2.3.33, 2.3.34, 2.3.35, 2.3.36, 2.3.37, 2.5.1, 2.5.2, 2.5.5, 2.5.8, 2.5.10, 2.5.12, 2.5.13, 2.5.14, 2.5.16, 2.5.17, 2.5.18, 2.5.20, 2.5.22, 2.5.25, 2.5.26, 2.5.27, 2.5.28, 2.5.29, 2.5.30, 2.5.31, 2.5.32, 2.5.33, 6.0.0, 6.0.3, 6.1.1, 6.1.2, 6.2.0, 6.3.0, 6.4.0