Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1obXZqLWdjOXEtbWc5cM3e3g
Apache Struts's DebuggingInterceptor component allows remote code execution in developer mode
The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not "a security vulnerability itself."
Permalink: https://github.com/advisories/GHSA-hmvj-gc9q-mg9pJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1obXZqLWdjOXEtbWc5cM3e3g
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: 2 months ago
Identifiers: GHSA-hmvj-gc9q-mg9p, CVE-2012-0394
References:
- https://nvd.nist.gov/vuln/detail/CVE-2012-0394
- https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt
- http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html
- http://struts.apache.org/2.x/docs/s2-008.html
- http://struts.apache.org/2.x/docs/version-notes-2311.html
- http://www.exploit-db.com/exploits/18329
- http://www.exploit-db.com/exploits/31434
- https://github.com/apache/struts/commit/34c80dae734e70f13c0e46f9c83602fb71318e58
- https://issues.apache.org/jira/browse/WW-3729
- https://github.com/apache/struts/commit/9cad25f258bb2629d263f828574d2671366c238d
- https://github.com/advisories/GHSA-hmvj-gc9q-mg9p
Blast Radius: 0.0
Affected Packages
maven:org.apache.struts.xwork:xwork-core
Dependent packages: 59Dependent repositories: 484
Downloads:
Affected Version Ranges: < 2.3.18
Fixed in: 2.3.18
All affected versions: 2.2.1, 2.2.3, 2.3.1, 2.3.3, 2.3.4, 2.3.7, 2.3.8, 2.3.12, 2.3.14, 2.3.15, 2.3.16
All unaffected versions: 2.3.20, 2.3.24, 2.3.28, 2.3.29, 2.3.30, 2.3.31, 2.3.32, 2.3.33, 2.3.34, 2.3.35, 2.3.36, 2.3.37